23542300x8000000000000000213874Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.928{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415C27ABF68B5C4ECC3F68794F8DF0E8,SHA256=4B036C9840E5E45C16544E1B9854B924869168DC9DD9524879732EF932D2E9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160243Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:26.202{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4305C84E2B543E62F2B85981E62B2FF,SHA256=A4829956B322A6DF0D0961C26296705B5FC5E647B6690025A393308D78366CC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213873Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.850{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213872Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.850{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213871Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.829{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213870Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.797{079FE16A-284E-6116-B000-00000000E701}8523620C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213869Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213868Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213867Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213866Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213865Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.713{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213864Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.713{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213863Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.665{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213862Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.650{079FE16A-284E-6116-B000-00000000E701}8523620C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213861Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.650{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213860Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.648{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213859Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.628{079FE16A-2850-6116-B700-00000000E701}41044304C:\Windows\System32\RuntimeBroker.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000213858Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.628{079FE16A-2850-6116-B700-00000000E701}41044304C:\Windows\System32\RuntimeBroker.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000213857Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.581{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DB06-00000000E701}7116C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213856Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.549{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DB06-00000000E701}7116C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213855Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.549{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DB06-00000000E701}7116C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213854Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.528{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213853Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.528{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213852Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.528{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53B9-6116-D306-00000000E701}6636C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160244Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:27.202{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ADCEE2719D40485D751C8A04670638,SHA256=AB878D212D54146CEF44E4CF5675D113D9A53046F1841F5755A3340EA4F64EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213902Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.581{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8DD536637440AF8BDD122AC34CBAE4,SHA256=33364D528D50E1789532B854656852E988BF594892A48EDF302C328540880AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213901Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.581{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87D047E16FC05C487AB3EB0CBFDD210F,SHA256=568E3DAB695DBB7CB142941EB21C86A963BFE6044A3028756422AFD51FEF2877,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213900Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213899Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213898Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213897Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213896Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213895Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213894Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.148{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213893Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.148{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213892Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.146{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213891Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.146{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213890Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.145{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213889Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.145{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213888Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.145{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213887Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.113{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213886Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.113{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213885Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.113{079FE16A-53D7-6116-DF06-00000000E701}56886664C:\Windows\system32\conhost.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213884Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.081{079FE16A-284E-6116-B000-00000000E701}8524440C:\Windows\system32\csrss.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213883Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213882Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213881Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213880Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213879Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-284E-6116-B000-00000000E701}8524440C:\Windows\system32\csrss.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213878Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-53D6-6116-DD06-00000000E701}67127064C:\Windows\system32\DllHost.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213877Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.060{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Windows\system32\ATTACKRANGE\Administrator{079FE16A-2850-6116-EC13-0A0000000000}0xa13ec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} 10341000x8000000000000000213876Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A0-6116-0B00-00000000E701}628668C:\Windows\system32\lsass.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213875Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A0-6116-0B00-00000000E701}628668C:\Windows\system32\lsass.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160245Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:28.202{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80BA05388DE315EDE7F9E7BFC4FB0C4,SHA256=C976370506F189D94CCE7E47E1A8B195D0450D96B5920BEBE228A3F9A1BCDB86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213904Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:25.269{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64715-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213903Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:28.012{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B6F61CD9023DAD8FE0DB849E513172,SHA256=83676B495BC8610977F5D679B193059D34B4E9F7CDF8E31ECCB66AF379725342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160246Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:29.218{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A577EF8BE4244434C5F05FDD43046F9,SHA256=A063B1CABD18A848D3DA318E65400E216940DCFF1936FBE29BD0FE0F4D503C20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213912Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213911Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213910Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213909Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213908Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213907Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213906Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000213905Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.027{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BABEE7DB5B32C86D301E7ED0370743,SHA256=9CCAAD1AA9032DAC89962599E0909A16E05AD9C0F4C122F77692EBB1AE866EB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160248Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:27.910{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52070-false10.0.1.12-8000- 23542300x8000000000000000160247Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:30.218{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B265E79C509E4B64F4565600035E99,SHA256=29B5FC09DBDE8DEB7641C418F0E43E9F2B6954BEF6256CD53F2CD3E9431CD711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213913Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:30.064{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769E8BB96B56CCA1772857F0DA41547B,SHA256=A0D7459D32BCE944EDD033485CF945F4948B3B49834A40A6620832206DAD45BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213914Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:31.064{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6542502986581E07F30D35C02CC87B,SHA256=EF7F0B6BA1170A399EE83778D9EB17A260892A49093B161C43FE1868CDA1BF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160249Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:31.249{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC65E902AAB6CFAD03E5AD3ED19CCBD,SHA256=8DE774A9287BD57AECF32A4F04017FC609FB2745DB2B2C1959120AB2E6DD8070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213916Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:30.348{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64716-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213915Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:32.126{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9342B971380566E95D1DA00008976F2,SHA256=02A279D800F69A6C466CF656EBD18A316B38FE48BA3656DEB90A3FE8C9048C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160250Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:32.249{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74899288EE266E2133BA699A38420270,SHA256=06A925B379ED7C122229CA76F24E832C36F696439DEFD5391884CD40A0B39909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160251Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:33.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3986925BF9B8BA36E13C9D5DBB2E97B,SHA256=C59F44EA025E298D104F3676D1DE5E5D3B68DB2AC8A92DF6A0437461542E59F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213917Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:33.145{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D2C9EE866986E527E1524E5F4BFDCB,SHA256=F9F8AC5AB565E0C7C6C1CA4DA843A3D1FA3AC56FF21CF99038FCA7CB238CD115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160252Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:34.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FAA9EBA24E310831E43BB551F184A9,SHA256=BFD1EC30C24120B91B4F92D0E4FF43D62E5B01CD047B38FB9B016FCA3C10496C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213918Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:34.164{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DC113249ED403836F68D8CB933DFC7,SHA256=D93B8F8DB87B089ED27661662CFEBB3422698A3D98578DFB75B7D301E27AA68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213919Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:35.165{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C163DB5ED3870A1DE6D5E50CA7B636,SHA256=2A33EA4B30D2E48482CC20DB3EA51A1D84D7779873F86473CCD224DB461CF1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160255Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:35.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0633EEF8AA3FFD094BF198F0AC264006,SHA256=5CCE4446FCE0DEB6BE2E54DA38C2A7079FC7557651F7544D87A3378ADB39F64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160254Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:35.280{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B857C3AE0ED87E98B8AFECE4CAD69BEF,SHA256=CD8BB487A7FF0D479E70EB69A55899FE2A466B5B167E7A0AFE8B8DF5570FB1CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160253Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:33.788{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52071-false10.0.1.12-8000- 23542300x8000000000000000213921Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:36.843{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A0A9D8662C48EA64620658B7C6ACD4F5,SHA256=60863D9F5DEC831FC9EF8EC4C925E653BB26F18F9DA948C28B4CBC15E2144173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213920Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:36.195{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE99FA008F77DBFBC195ED9872AFA98,SHA256=82FDB64541B9741534D73EF011E64E39C34AEC452E677941E73ED11A959A9BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160256Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:36.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FB9B9F1357237CB6BA23E40BF7585F,SHA256=94C169D3E67F4CD363423A8B600F5F3CD622A93507332D44086023B7BC1C9AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160257Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:37.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD512ACBE45CE43D63A291E1971FF4F2,SHA256=F30754FC1211EF6D3801D6F9EFE4F69F1B27AD339E56DAEAC10857B8629A7CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213922Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:37.210{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC2C14C23BE6D54620F0AEC510F4342,SHA256=F1CE272252FB51C03CD9D5B9676BE13CB4FA49F748D43180FAC9C44964A2B3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160258Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:38.312{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687CEF1AE6A5F1046AC44120CFA5BC7D,SHA256=787B9E7056640FC98EE6220D7B201BC2D53F9D4C950BA38601C0A69F1AD1E29A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213925Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:36.267{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64717-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213924Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:38.611{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213923Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:38.227{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D8DB937A1F8A99E9F5081C1B8BA839,SHA256=51B60E966D984F49C78D57AC48E09E2FEC1660069FE9995CB1FBAFABC5EA360D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160259Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:39.343{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CB4CA039CFF7FC6AE6E8C8A1DF0950,SHA256=5C044A6D89800D713C73D02912CECA381C3E169D953AC3ADD290288D8AF755AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213926Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:39.245{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233A138D04F743538C98B2E9F53F361C,SHA256=0B77D48207694CC9709540101AF8331BAA2ECF4E324107CB0D940E0D8292CA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160260Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:40.343{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF498E78ADF8828D21A569EB8A633BEF,SHA256=AE20B548807BA6E3EF30F5701C05D5389542E3AD75009712B335326C73F41676,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213928Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:37.718{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64718-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000213927Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:40.279{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BF7BB260918C613138F46D54534F4B,SHA256=E5E8C1C35031FF7F2B8F3A515DFCEA71461F30F183014D36E91CB40BBF742A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160262Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:41.343{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F99D69A5B84A85B2C199C69801541F9,SHA256=87D715DD0F69FD7CBD6C48F44152BA91EA461338DCF9D02AAF0773EA6E8A8917,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160261Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:38.863{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52072-false10.0.1.12-8000- 23542300x8000000000000000213929Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:41.310{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE9C04D86BFBBF51937E136AC61CE82,SHA256=48E6A65F65A914BDF523E05F63E862C10840CBF860BD9F8989D5ED26024CA59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160263Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:42.405{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC11B0ABA08631ADA771A141A169E8C,SHA256=6D28281828A119347C0094CBD8B7C3895C5B03359FA88625372F3C0589F53383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213930Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:42.430{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED99A04D83A896DC75A395A311726F0,SHA256=C552582B47A626730646A1D1E4D2D4918A0577C98AC9C3E3CA2AF7820349451E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213932Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:41.317{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64719-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213931Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:43.435{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853E05D3CF8B1D1B38296DC60C4C5FA2,SHA256=067824A74ABA14A4F124D4385C96DC3FE88A81F0D6F44D2A0001F13CD5B92967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160264Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:43.421{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF67ECC0D18E16B21763BC401911D8B6,SHA256=E7610A2CFA9AE3B57E9C204EEB1A2E2291411659B162FEBD575BDF397B9450E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213933Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:44.454{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98BE80B7A57AC471982A87C602E5972,SHA256=76B236619F36C0D9280E5306C556C1AF3D2F1DA9A2E66127CC08D77A03CD7758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160265Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:44.437{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A53400CEEB800D6A1EEFD4D8062C8EF,SHA256=071313D59394486E51EBCC46B697B9B8BB6569549D245668F94B1D2F7E3DFB73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160280Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160279Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160278Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160277Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160276Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160275Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160274Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160273Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160272Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160271Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160270Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160269Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160268Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.656{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160267Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:43.911{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52073-false10.0.1.12-8000- 23542300x8000000000000000160266Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.437{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BE1EA8536E9F2F85475B53FF7004A7,SHA256=DE6495FEE1AA2E4AD188BD82CD6ABD99FF9AF5C1F337C1002574F3978D69F7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213934Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:45.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E79BB65802AD578B462FF1690F7B08,SHA256=55729B4F550BA7F7DD3FCE6C11A11BF2ECF74EC9E3982E55F93AEF6EA59F63C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160309Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37140990DBE060172338E3DC34B06E06,SHA256=75D62C40F6F051AC62CC06E706C8A5F21D1C535730583E07A0164A2F3D05C1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160308Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DE2FCBC81CC30A76AF941E31EF2E640,SHA256=E02EDE41D87FC0EE549DEF8172616249A577FCB9FD1F05EFF3D024B21D00688D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160307Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E748C39CE3C3920446D714890F851F94,SHA256=5E464B8E34E357B46A0D8E926C24C8BB0A0A36071FD08EC4B86F09E9F015A8D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160306Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160305Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160304Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160303Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160302Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160301Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160300Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160299Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160298Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160297Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160296Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160295Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160294Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.828{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213935Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:46.488{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD70094C5F37197440B14BF5DDC895B,SHA256=D791226F004A72EE26138051C7A3AB51DD6CC1CBD9372FA49B6EB7F443C70926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160293Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160292Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160291Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160290Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160289Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160288Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160287Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160286Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160285Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160284Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160283Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160282Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160281Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.328{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160312Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.846{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37140990DBE060172338E3DC34B06E06,SHA256=75D62C40F6F051AC62CC06E706C8A5F21D1C535730583E07A0164A2F3D05C1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160311Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.829{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C887F2332FCFCD2F5F782D6B7D9EFC5,SHA256=B1636DD1C5AF2EA9DDD9DD857DC77EE139F1D3B52782862CBCDE68B14531CD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213936Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:47.503{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9FD88F72EF24C67202B06B41328C4B,SHA256=F615F3C67A5F796052F31C0D667DA8B6FE2BB4DBC20FD847B97E488DC619FB83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160310Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.032{C6197713-53EA-6116-D705-00000000E801}23523956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160328Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.830{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359187ADACE03DB069612B1B9C3CB7F5,SHA256=A0DE21DEAB2A44F80E785FABF72B4F06DC8CE17CA5ACF02073C7CB9BDF3E0910,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213938Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:46.325{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64720-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213937Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:48.518{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FE47E29F94D3387F61F44A191C7A2F,SHA256=E12D9AFC3BFBAF67279C004E09983FDACC7AB786131EB6D7E3147FE9D7865D45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160327Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.596{C6197713-53EC-6116-D805-00000000E801}23323012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160326Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160325Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160324Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160323Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160322Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160321Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160320Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160319Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160318Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160317Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160316Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160315Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160314Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160313Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.221{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213945Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.855{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8C706D4280C59E4F1F7C574F3E13B507,SHA256=4566077350CD631473285222ACE6C13E4FAD76191F406D7624FB23AD27B92CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213944Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.855{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2D48CC0B8F9D602BABBCD9CA61F2A777,SHA256=6439051A9A4CD12B86AEDFBAF01C7180823CEBF84400595DA6EB46358F5EF23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213943Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.855{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=64E6479249A670063015AEDEB7C81003,SHA256=D2DBE43D5DE1D608F067C4AAA57D93DF3CDEE258432E28E58B2EFAA6881FA508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213942Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.854{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=DC89444A41507ADFE55675355F8AAECB,SHA256=996F742E8FC04C5F1F4B4B6B51281B68F19EDB5CDD84741E0EB707173CAF7959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213941Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.852{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D4F910F950CA48E4FA558F89B96BBADD,SHA256=4FE1B527F298461E76EFECC00499D2F99D6AF9B7E278290F2C45CF620C6AA4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213940Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.851{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=4B77300FAB96FD22CD710640277146B5,SHA256=88D142546DCF873C7A035C311D1388B8A432B1A39A8D5E53501373C8B320E30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213939Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.533{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F485C8B37EFF94A8449B971B63E12C3A,SHA256=09597249AB7EBADEBC81EBC5223B6D664784C0F82A575B077144C937F6DCE402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160358Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4437938A949E8224425DB770E83E5BC,SHA256=888E4284EED4269E2328D7D61C5EBEFC2A744017F64A461FA96B018F92C5E4D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160357Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160356Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160355Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160354Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160353Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160352Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160351Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160350Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160349Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160348Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160347Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160346Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160345Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.568{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160344Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.866{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52074-false10.0.1.12-8089- 23542300x8000000000000000160343Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD2EB2FFA5E642E2F368046BA676A5F0,SHA256=22F4512BDFC78D9A7D23EF78FC939016044E1F527A1627B0EE95F6E57879A367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160342Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.333{C6197713-53ED-6116-D905-00000000E801}3124992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160341Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160340Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160339Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160338Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160337Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160336Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160335Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160334Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160333Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160332Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160331Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160330Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160329Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.068{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160376Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6243590A84DC43F28798C752EEAE63D9,SHA256=291581DE4A22B9A5E7C39F4BE038DC319EE3EEA92F195AF8FCEB5C926B7D2A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213946Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:50.552{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C342C89990D7312F0EDDC293025643,SHA256=57658F519B524D004780F7C0B482616E19D51A0D33CFD8624D48CE7A8BA43ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160375Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.582{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=312172FE7EBE7A40969E35C2CB839009,SHA256=5B02AD3652EDD1B621D84F145DBBA966E7A7FCF0C0BBA7C2903BEB898C19209F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160374Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.915{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52075-false10.0.1.12-8000- 10341000x8000000000000000160373Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160372Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160371Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160370Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160369Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160368Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160367Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160366Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160365Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160364Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160363Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160362Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160361Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.084{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160360Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464FFF0A1224CA015ED8DBC1A0D84800,SHA256=21253FEE06A2DC73DB1462E1FC1B5591532D19636D3C0ED5C333D7C7328DC502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160359Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.989{C6197713-53ED-6116-DA05-00000000E801}13042196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160377Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:51.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493B28ED04350123D04AF8C9830CF69F,SHA256=BDC3632F51F619CCAE71144B3F603AD4A68CEF7CCC25F6719A53B54F1C6A9861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213947Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:51.569{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56B08C4D016FE7AD390CED122F51D59,SHA256=D8FB722271D5BD40212E9248917958BCDE49A0C79E8A8DFA5525BCCA0CF2094E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160378Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:52.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27BE2A113F5BB57FC69E793550C451D,SHA256=792215E510F75CF9F1384987A4C30C34851A6D76EAC396168903AE67E9ACD5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213948Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:52.599{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107D481838D857A927378310EDD8463F,SHA256=7498CC07240FD07A142EC4476AA6F91D82E4BCE0E05BDF0173CA43628A9A86D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213949Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:53.613{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95261E6B976DBB5A7DC93A7A7D197C5E,SHA256=625D7D1EC4607C159F73F89FFA7CB3FBECA69CA4255A24963B614040EABBC6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160379Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:53.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFF70A5B3B2385496D789211BF5459A,SHA256=60048A766E4ED26E0661E9FD49693CB3C0D3B3B9EA1DDFF434D7DF578B92234B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213951Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:52.367{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64721-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213950Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:54.629{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C6547E9EF3D7A1035CF6C6368FBEA4,SHA256=0C4B7320B644876879BA9243D404E982AAC2D4E814F43526DF276FC8BCD45C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160380Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:54.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8FCA0299121B32AFD9B7CD5F73CE95,SHA256=E3B51F00E57DB9E7E5226E59C5E9A1D8D5C6F021C9B839C8B3F5881C722D1051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160381Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:55.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBD2491D122214C1D94663BD3B7F763,SHA256=63C46CACC925E5FF07B0E5D8FA07E5809583F28CA0E8C532C52ECA75E9896F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213958Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.683{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312AAE2FB32062C7C17AE31921690826,SHA256=536B0149B98C107C619F8F6AFAE1EA76CD6E4773F6656CCF275AFEB40EE0CD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213957Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=697B0F8B8AC2BA6605B7317210658193,SHA256=14F11D3A5B8047161DAAA6B644C1760C442F03EAA8481C0ECC111613D531D86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213956Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=1F30967A25C13C4D8E82F9A8F1D5C063,SHA256=30AD2875CFD9231F4F61E6D8F61784BF3581C235758424E777EE49B8DDD80B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213955Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B2EA2B0AA6AFE4FF263DF8593852D732,SHA256=A5B98183717A53DCCF33DAB950B87E09C18CFC5E99044443B4D80C06D2EC1F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213954Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=35301AC43B978F17475DAAE8B4BD7FF4,SHA256=355795F5CD084B4B72D1B497A3BC3E4316DD1CB2E8C866AEB13FF2C65C47EA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213953Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.450{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=734729C4A4A8F39DDAF0D8FE206F399A,SHA256=10759DA80E6F012E8109F9E94982ABE5ACEF352024FFAA89B5EF843D851449EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213952Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.448{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=68C52CCE8B562A0F3A927C0C0D9DF0CE,SHA256=08D6FEC469691509A3CC4351838FD6B5D5F3368E1524DE0EDABFC70BD578A65E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160382Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:56.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145F52890BC3FCBAC615C7E703AC3A16,SHA256=894E35843D95926EB54FE7A992558222AD7703F0A81D100952397167BA1FD47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213959Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:56.713{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABA025C42799D8237B2F8E912694321,SHA256=BF206C7256986C1EA5FE26121DB8D51C80277C684B3D0E2739C72C11B7AC8153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160384Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:57.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA53E30FBC8FF01BEE1F85BDAEA4B0B7,SHA256=629C96E1664F7833380E7DCF245C4926961CEEE485140225202703BCAF0A42DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213960Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:57.727{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFDD790891FA910CF533CBDF23D6065,SHA256=634319F09878080A275556C016E1A320C2AE4A347AC9E05EA1D4B17B53D1A4DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160383Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:54.884{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52076-false10.0.1.12-8000- 23542300x8000000000000000160385Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:58.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98118E67FE06F03652554360B8EDFA5D,SHA256=E1DCCF5D8A5E1CD06893E7FF945E24E38F1B4850B4ED5496BFF401E31E0DE92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213961Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:58.745{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E406707A5B55872C5EAB0FEB36E1462,SHA256=5F65CC38D1D4B4ABC32823CF7076556B0764F342C73674B38882105DB695149C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160386Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:59.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3E1BEF2BD68BBBEBF72858829E92B5,SHA256=B8C1D51EA93D29C017EE0588BB61B9AE1137E59967E474FBE84F138BE6DAE446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213970Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.826{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D602CCCB3A3F1D93BB7F8EA5F9067D8E,SHA256=47F9F9706424731FBE4E2BF13F22EC07E6DCC8653CE9E27ACB478F892BAB9E40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213969Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213968Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213967Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213966Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213965Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213964Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213963Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213962Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.711{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000213994Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.894{079FE16A-53F8-6116-E106-00000000E701}57047120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000213993Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.847{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D086D0CB2712D59E18C524C1129ABB2A,SHA256=28F86CEA050C9D8C0B1A8D0EA794BF48CC20F4C13877FBE37918C52F5A56D3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160387Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:00.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B77D1B074DFF5863B769315C874F89,SHA256=C5526F09A3C7885154279F2132926B037C27AB1BAF6DAA8169946EF2B6D055EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213992Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.716{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8BD004EDB018625D8091855E75FD798,SHA256=CF7A97DBB943AF46CA3D8E64CEF7D9A1EC0070CFDF9B71C8D32EE4FB5F81C04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213991Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.715{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8DD536637440AF8BDD122AC34CBAE4,SHA256=33364D528D50E1789532B854656852E988BF594892A48EDF302C328540880AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213990Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213989Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213988Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213987Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213986Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213985Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213984Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213983Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.565{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213982Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2D09B6F9EDEFC69A233391E2628A680D,SHA256=7BB2B6314799F909A3D6EFE9CBE59C2ED8B29DC1202CA9149B03E032E288916F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213981Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=AE7C0F65D3CEED0E1410D63778B5DED7,SHA256=654C8809846E88214A2D7275C122DA061457BD9C5C8F78262EB5C1A9E7B44FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213980Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2D0A83580422635CEC7C6D7C2DBD82F6,SHA256=154BD1FC44C8FCF9A0215206827D84E31F17886390AF02C07C37A2BD6468E007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213979Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=CC34E591623319FF8AC832C9184F3C43,SHA256=82B122F25673DAC4F01C43CD4796562F99F6DBE9494A5DB831040BA47D5B4C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213978Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=7E0E2B40BA90E4E8BEEE42FEF678321A,SHA256=785279F4DE2A47DA6495964554056B41380B1BBCD602769363DB0D1AC7CB6214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213977Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D655D2845120DF80ACC06B8841AFE0A3,SHA256=21931DBA62BCFF47ECF453D9B833C2FB25EF1BC00D645AC8A36A8BCD8B171A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213976Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=802CEF181B45F65EF49C0A4C04368D60,SHA256=901C723C381A0A40D000454C06A182397B106BBA10273716F195486021AA14A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213975Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=6F6491A601A1A664861361A6FFF7D187,SHA256=002196242A59970DCBE475A4F60DB68DCB294DB298412A74AAD2E84DFBFE0864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213974Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C67B28D3C3C20FF2D97715B4885C17C8,SHA256=6ACC64E6DF471D6736C00D0B6D6E71E026850F6B68F664609671D3D2A030F4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213973Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=33144AC011368A829D393503FD89C748,SHA256=A6FB8E4B3B2FB648E66A089021125A47CD50D63DC6EE25471F973BE22D011F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213972Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B6B164F3D4A4FE34B5C93F0202AFD4ED,SHA256=51B5339376DEDC0489144D142BF836A5AF8B1861150F2A64B58A4E2AE7FC2143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213971Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D16251F3A0AA400F69DD51DFF20CFC7C,SHA256=1F209995E8AE90213AAD823E8CAD33216E7A4AFE0975097F66AF2DCE9B4E2404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160388Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:01.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4288DDC61070416A9B29917399537432,SHA256=671F22D5A290D4C9F1466B604E12B18A9E3FDB2A954DAD620D6B16E9F6ED35E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214004Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.862{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E406E970BD07572E88BD7D32DB707274,SHA256=F97E7DE60FF0092ED9984436960B4F84F2E719F0AF82D215C7D386E3BA4619A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214003Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214002Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214001Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214000Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213999Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213998Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213997Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213996Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.196{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000213995Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:58.133{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64722-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160390Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:00.853{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52077-false10.0.1.12-8000- 23542300x8000000000000000160389Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:02.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F525B9841B07C0A90D237DA692F3A06,SHA256=735585752E99AB292B6CA0266812FF054FA24DB328B09E1FAFB5F36F3265F2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214006Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.877{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027C65C65C032C9AB587E0A966EFC168,SHA256=DE56783605920CC4619C76CC577E1C3A8F6616AAEE43B22254908369AFCB8953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214005Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.362{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8BD004EDB018625D8091855E75FD798,SHA256=CF7A97DBB943AF46CA3D8E64CEF7D9A1EC0070CFDF9B71C8D32EE4FB5F81C04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160391Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:03.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EBD34F59BBD0095A5EC66D79E99895,SHA256=6FF6A8C7E1FDD51186859BEF147F4D6E246BDCB89B2377ACC1426B21973ACEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214015Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.915{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E56F04556524B76C031D8CF6FD019A,SHA256=FBB280F019511D99566FD547A142F621E5CC67911A477944147999CE6A4C54C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214014Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214013Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214012Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214011Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214010Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214009Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214008Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214007Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.778{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214028Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.928{079FE16A-53FC-6116-E406-00000000E701}41326340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214027Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.928{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B381EF1B53F9C708D9564A2FB051179,SHA256=7BDFAA4F5142E20783C0DE060EEE1AF1AE8EACFD1F26A9D5344D586FF08D1A0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160394Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:02.852{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com50132-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 354300x8000000000000000160393Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:02.502{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.9.49.23995.9.49.239.static.ttnet.com.tr54306-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000160392Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:04.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE89B56C2CDE7282B3E6F368D7A2EBB,SHA256=879B79E39B49658E7B346FD09BA2F9754674BA075150F204BB14F2AA7BDE3A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214026Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.693{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF8C56630A2066793FCC74DE2FC0B80B,SHA256=74B0FCDDDB6C5EB6AC2B5CD765D39A2DF68A7EF4C965B2EB2999D533D7066E34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214025Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214024Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214023Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214022Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214021Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214020Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214019Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214018Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.645{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214017Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.932{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.9.49.23995.9.49.239.static.ttnet.com.tr54301-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 10341000x8000000000000000214016Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.117{079FE16A-53FB-6116-E306-00000000E701}26726192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214050Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.975{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EA1D294A4F21E9C3C0C530F07EB384,SHA256=0634A33A6C5D0C227FCE3AAF35C639A13F6BDAAD1FAF3EC8686439055E08023C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160397Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:05.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179AC6B2F513F4014A73AD85E078EC6B,SHA256=DDA44E59B59BA4D51EA2FB787F46884ED2390E280DAE291AC1D0887F6285E218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160396Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:05.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910308649549C0748ED32ADA1442D0CF,SHA256=14EAB319A4DABC4C29694B68B5EA33778900E7608AF5298D6CE3BBA26B6E0086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160395Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:05.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638EE150635B86040FE5FD35C2BF5EE6,SHA256=556ECE0B6D43FEC0111B76465C5CBE1C1DF05FFA8657ECE380DE1E5519624079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214049Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.890{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01290245E9F73804769DD97D7B0ED15A,SHA256=C2DFDA52C715C82954D220766DB27F2FE6861B07BB9F7AED31E89E6E0ED5026B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214048Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214047Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214046Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214045Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214044Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214043Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214042Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214041Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.792{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214040Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.575{079FE16A-53FD-6116-E506-00000000E701}55883440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214039Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214038Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214037Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214036Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214035Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214034Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214033Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214032Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.292{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214031Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.769{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64723-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214030Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.769{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64723-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214029Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.328{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com50130-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000214053Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:06.991{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFE7CEE7C3AE72B1591FC3FDFAA3CE0,SHA256=7CC5B420094E64958A9B5B407E1092A3AA34E8FE6E57C4AAB1951E85EFE814B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160398Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:06.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D045019031CEB658D7AE99568E1C933E,SHA256=497CFC5D3D4A23724FF62CFA290D6994A53C40F197898F4230B866642C999552,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214052Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.013{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local62663- 354300x8000000000000000214051Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.184{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64724-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160400Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:07.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F2587D4EDF570BBBE138DFB5D23ACA,SHA256=DCF7F8C4EAAEEBE100383DF7747CF3E8364ED3ECEAC4C0F15078D98767A10C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160399Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:07.239{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179AC6B2F513F4014A73AD85E078EC6B,SHA256=DDA44E59B59BA4D51EA2FB787F46884ED2390E280DAE291AC1D0887F6285E218,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160402Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:06.791{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52078-false10.0.1.12-8000- 23542300x8000000000000000160401Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:08.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38157502A3C62DA1E7B9190DDCD303ED,SHA256=CAA1C9A1AFFAB48E7CE81912842F852DF8512EF2EB957D39CCA89BE05E589538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214057Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.090{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000214056Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.090{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214055Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.090{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb14e51.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214054Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.024{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B796000C04C0521A286C030EE5AADB0,SHA256=1C7015BC4EF194C745D05234913FEDB59FE860F8F98B055DF3E3CCF22C11992F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160403Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:09.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9F2FA9689B619EC053E26692074A36,SHA256=44B5510259746AED3F2D9DFFB11CD6F121612E8F49530EF438301FC272204121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214058Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:09.207{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA0F337F0B9006BE1DF2324C6E47352,SHA256=C7D6129A62D4E8314FA78E51D76242C70E154D8EDF5C464AB3892D42C06DE4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160404Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:10.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22874727BE7AF05E22EE7D7FB70677EB,SHA256=6E7FD18E2A2CB73974A93B8E380E1CA6CF1A8A2A7B4894A34598793A62D35150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214059Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:10.325{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB1AB28DBCFA7EA5071BD6CF3574660,SHA256=8AE15A645CD6790C1A25A27381A5F34DC4B688B5E236DB1854C465025871671F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160405Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:11.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE90F84C08A315A706E3B9D2376E800,SHA256=F094168F33D347C4D4999E3223CA14799328BF4AE40C40AB10EC9591CF4208CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214061Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:11.343{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C7D78D66F94C5B527AEFD43307988D,SHA256=F902C6EBF36BE4266FB02F7F886875F8AB4C32137453DE63D503724EE171DD44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214060Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.199{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64725-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160406Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:12.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4971DB95A09FA3DB4D4118CBB0B76F,SHA256=5227BE1087D0B68E1FB8D4576B821B7FC0502F3FAED463C2A68F6FBD362F4B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214062Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:12.344{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C8155F7FEDD7B828347DC3CA2E7959,SHA256=DD801A5D5CD72A778C5D257F3EA261B81BC8FF5F6CE78143BAA2969B33899F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160407Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:13.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6998BB49D8A93C85B8A44B40AAB852,SHA256=B64318D3B135DE7AAB41DE85BE118BD65B0597ECB22C0F9B16A1C5A29030BBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214063Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:13.374{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5481D4827419D0D606DFF265152ABD,SHA256=12DB23BD567221A2D852098213A5BABF2B641ED438F848A97D2D2D26EDA46E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160408Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:14.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFA689DB17DA18391FD8541AB82E420,SHA256=B88DCA22FEFB8EEB3F6A0995E3A43BD3F54419C4D8A1E3F72FF122DB102083A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214064Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:14.389{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C14049512BE7CA12DA5821E30C5984,SHA256=2675E63E74A8E9575050EBDC97062AD9BDAEDD372FC74FF96351055BF8B5A4C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160409Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:15.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAF68DA247E5F3C9CDDFE694F62BFDE,SHA256=5A43E1302265331EE8B8450E41DF45D0F232F56068FF0A406323007ECB558CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214066Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:15.404{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7421CF21EA3D8ADBEA00B8C051B13DBC,SHA256=852DAE153A5548A617DE61D4E9D9F53FD6170BA1AFBCE427345B78EB8198F573,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214065Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:13.243{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64726-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160411Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:16.926{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B943ECFEA5B4314AAABA6F8156ED1D,SHA256=FE35CB03D52912F7EE9022D8A59147CE0C3B273694470E839CAB8E961DA12B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214067Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:16.423{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D54F6FF4B1236655EB9DACCF6DB345,SHA256=1E174217022DA5119F1F62F12F4C1DA06814E7E923B7697A492C5C94DA4CF022,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160410Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:12.759{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52079-false10.0.1.12-8000- 23542300x8000000000000000160412Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:17.926{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8EC77C868F45E4A819221B3092ABE2,SHA256=F3A2495008998E7F5DB56A388682342B3B91D00998E9878182D2FDF2AC2A5E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214068Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:17.441{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B6168A9CB80DD4825CB04C9D679905,SHA256=6D4C538DE09E29F55078B9AAE97A75B83879581E7E5AE95E73756F7DEBDE3F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160413Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:18.942{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42976A9B89668DD5DDAEB71166CC064,SHA256=5AB49BD4C101847BE609B7991EFA4E2B4F4637DEDFB46B771E5247ABE095229C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214069Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:18.457{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD676997FC7D5D82BCE3F70A8A7E53DA,SHA256=CC6BCFACCDA131C5C4D25D8CABE928B70D2B30B439C68605DCF6705B9C7C9959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214070Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:19.472{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899276083C911F77EC6C7537558E87A6,SHA256=ABB63EDE7B3D217BCEB3DCEE3F4C6720FEAC057F544D81206101504BC0903F0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214072Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:18.264{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64727-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214071Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:20.486{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20AF7B84BABC7D05258E34BAF0EF59F,SHA256=4CEF658D86FC2A52F196C15BCD82A768FBC2DF928378D149BAB7E1EDD9C86F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160415Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:17.791{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52080-false10.0.1.12-8000- 23542300x8000000000000000160414Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:20.004{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B527593AE5FF4876587E6634648A5D,SHA256=AE971CAEE07EB28C40C862FA66CE117085E7569E6952B2BAE775D3274B3D42D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214073Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:21.487{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2884862E047BD3674D283A6AA18AAAEA,SHA256=CC5259FF5BA241543F048D4F9B1DFB579ED3648541B3CAF6EDDD030EBE0B9CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160416Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:21.035{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6DA62FB19E9E1A585482F4E9180149,SHA256=EDADE5607C6FF2A6E36B570E18A9DF64EB692D08FA4A6ACAED9D4D2E4513CAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214074Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:22.488{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66BDC62DFFE9F88BA731BDEC4885291,SHA256=6FE25AD08C3FC8700ADBE5CAD709619A62857A36D60BFB47093FF8A932226BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160417Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:22.036{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEC62EBC55706AB103C4C62BF3E1904,SHA256=0113BC4F7031EE0265FE89C6F690360FC1640C38C7FD90173F7A7BA29042AA44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214075Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:23.503{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D086FDC2DC073A37504FC362D035F713,SHA256=B87BFC21E8FE3864CFC19D6FEB0EB8A5953A49D398A82990B49DDE7FF79D2CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160418Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:23.082{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6A29F903DD1DBA20F8850B5577E675,SHA256=FFEA4077C9C08884DA65FC25BA18DDF02B3EBBF3454B99762DDBA17852AEA133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214076Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:24.520{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402DCC38F73573D54F392488D68B3E05,SHA256=B6A54878684CD76B2E0F8F8148DD2233E0A9574DD8EE876E8D260EFD4533090C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160419Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:24.129{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935004980812BFCE4D14F0F622064FB7,SHA256=8C54BD17483379ECB94A2D782EFBE6401D401FA9C7DDD3F9486EB0285AB37476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214077Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:25.539{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A62BDD7CFF0C6D665202D09EDF97911,SHA256=00C40F9E4938A90A94DBE09E705D55A103F628E861A5DEE56EFAC39292CF72EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160420Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:25.145{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC02E068422CFC2B1D472F523EFF52C,SHA256=E7B38E8E361E8B05981EA4C1BB925415FEFE867A4C54210EF5EAD844A5A576E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214079Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:26.569{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7A2643548FA5E6F0F2389D2E628CA4,SHA256=C6DB1B6007480FC3A3382B80A0BB7BC995236C61CCC87B2F5E74038CC9F66DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160422Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:26.160{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEEA89B3D01CB231F8C88A41CADCACC,SHA256=F89AD752906D300FB87F569B0F8D6E2B1F2FD6DD5ECE40C7B24EC8FE5802BAFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160421Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:23.791{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52081-false10.0.1.12-8000- 354300x8000000000000000214078Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:24.224{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64728-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214080Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:27.599{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FCEB3FE6D0F8ECE2CB1D4B99B485A5,SHA256=91069C1F18E9D9B99333243F490DA6CD550EF6A86275262FE002F7DC64A7FC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160423Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:27.223{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811638FBEB1A936F4907FF7B63DA2A08,SHA256=43C2D832369EE8C4152A7C4BA857FF3898DA3E1023621ACEE7D8C0698C0D6882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160424Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:28.238{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967230D0CF1A110BD71CFE58FE74AF81,SHA256=8F36C085864246255F2B4A058A8D366606B2A536D32E5A8CE61493A95C0FE8A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214121Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214120Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214119Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214118Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214117Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214116Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214115Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214114Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214113Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214112Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214111Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214110Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214109Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214108Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214107Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214106Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214105Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214104Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214103Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214102Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214101Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214100Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214099Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214098Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214097Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214096Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214095Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214094Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214093Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214092Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214091Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214090Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214089Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214088Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214087Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214086Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214085Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214084Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214083Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214082Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214081Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160425Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:29.238{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128F70F9102EB621E96A5C284343E57D,SHA256=104CDFE473E3AC719A05E0765FFE965F13ED19FF4FC8239F13921701B1BC2C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214122Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.999{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C134F76876F2461B53E76900E02FA5CA,SHA256=56FDD2DA2B92EF18731E90DD4710C9DA34EE1D846F391F7008F4FE3F841AB0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160426Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:30.270{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA23EA711B9E9F2B41EDE0755AA903FB,SHA256=39C070AFA4810367B49A3CDE1821D27306C261C3F808412C3F112CCAF6B28548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214123Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:29.999{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA7C16E0EA0B086773D832104221D11,SHA256=068F2CD3ABF3A4667F63BEB240032D56AB2AC57B714073730371FABF0BF6E15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160428Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:31.363{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181CDACA65CE497CEAC0DFAD85870169,SHA256=8C6AF09A84E9DE8396BA6D79D7B152298C000CFCD82EA93AB95124C3F1786101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214124Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:31.016{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07293859314DBD97D4078CC908189A73,SHA256=524B70381B02C6549ED4970C78202C68F0E1AC3C549BB1A6C6392003A484F2C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160427Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:28.807{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52082-false10.0.1.12-8000- 23542300x8000000000000000160429Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:32.379{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F841EF501CF2B4790FED9DAEDB4FEAAB,SHA256=2C387A785EE4C7380329D0DB808B23A59FE9DDE0FF7735924CF55222B7FB9376,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214126Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:30.205{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64729-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214125Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:32.034{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E732353A1D14FCC20C4AA5D48AC38B,SHA256=8B68BC5C4C49B9FF1269647DB552649C6737D4F4C6E1FC9F522EDD38ABA46A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160430Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:33.379{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02ED10304D27686841E45F0E0E72C35E,SHA256=0C816B23B2E54B845AEBA061A7D49A0BF117F1F0121634008FF560CA38382318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214127Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:33.065{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B315B8519D6BD51BDC7052928DF236C,SHA256=65AFECAB5CCB62700279EBB0FD17883E9E65A851AA20CC13FF8EA3760BA90ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160431Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:34.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0FAB1B02B4055F68B0D6516570D609,SHA256=E3454E116264BB3CDC9922A154F403DE515C061A53A2D895DCD004B2426FA186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214128Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:34.080{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F1468597CBACBCEF6572C627CCD02E,SHA256=8EED6F1606C3BDEAEAE13A5A7995BD7112F454FFB1BF7239F030B9C8E2FB3E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160433Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:35.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81AB3DF7F77930D34FC2AB178C06674,SHA256=2B8DCA91293D156EA87E7AE74B55389A580DCD945CA82B9E6185A877CA8DC8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214135Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=559D04577F94E84100BC05143EF551C1,SHA256=539215F6953D1129939C74266218D94B9E3F49A7E7EDDE7BAFFFB06555CF4B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214134Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B5C59797EE91D9BACA2A79622F6F96E8,SHA256=769D1D203D1F11BE901C2E23177E85E472DA12656D8123DED2D95569EF492DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214133Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=9CB292F06C524826BA0DB2C28C66A428,SHA256=4BA9BDF70D6A8BD6BDF09C2D60785B1FEDBA4B42745DE604720A91573642B94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214132Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=5703502BAEF7E17CA8B38556582F73EA,SHA256=BA55ED4D461B02ACC090D2C6310B720C832BAD78731CD44E96AB85276699AD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214131Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=97380B0D58303449968EACA32F22470F,SHA256=385ACF8D75B9588081CA3EACB84843B34F225473468EF088017123B7B97A9664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214130Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=9B0C2DC2A4D9D305A88407E1917A5E86,SHA256=5A8DD709B3028F12CCFAE9BF861B1A02F06C29699EB6966A3E85339DA348109A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214129Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.094{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2752315EE55D4AE1B4B85F2BD65D6AEE,SHA256=9A9F070CF8E7E421C3DF028B9958C0D8E04B8E6660648CD833CD192237C6C8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160432Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:35.285{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3FED0538A81EEFF17B316DC5E86D0AC7,SHA256=D8F749FEE7719072A3955A144DC0CA7FBC1D407A191AFC8FA4E2C41F6C285D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160435Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:36.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773F0748943B79663A9060B2069C74D0,SHA256=ABF75D815DFEF2C7212F146F2AE2A86BAD985A38B2DD59145012C319843159B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160434Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:33.823{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52083-false10.0.1.12-8000- 23542300x8000000000000000214137Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:36.846{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=44DF3CDBF2A8C35B7F0EF76643BA2036,SHA256=3998D304C1D55E9183ECE35F813207919CBA85F6162B0BDE863B39276C194A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214136Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:36.131{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FEB05DA48021EF4EB926BFC172B5E5,SHA256=973B28A204F7BD02FCBFA6E6D1A3424095E80F10FF149F91C6535DA5FEB4D066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214138Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:37.177{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64922719F254CAF89EFE27DE2D9A7A9A,SHA256=C010508D8D12548C84694D01068F0B631747ED27E177863DE7BB9B8A99F71F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160436Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:37.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018663DBF3B4F76975E31FED7A6632D5,SHA256=EB3DF34D82903E09E34A16DF21F2239E705B5CC35168594E8F078A56860B1B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214141Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:36.200{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64730-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214140Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:38.645{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214139Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:38.178{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26385615025BC1F961ED6FCB92A6AA22,SHA256=7C248D32AB80D3BD1D959169F207EEADDBE12DAF16D1B44B8DD1D7E249C75A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160437Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:38.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE9CDB8791D171A2EE4729DE131BAFA,SHA256=7DF5CF9CE850E51FAC905DED168870F51E39785FA411FFF22791289E586F776B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160438Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:39.426{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDBA0440DD8BC0D6FF37C5E07E6C1C2,SHA256=9EB7639F6A2F3A1E4B4A575278B7F82F558DC184623B7A0BD94947A64A37062C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214143Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:37.752{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64731-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000214142Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:39.232{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BE1DCB7D011AF12DD88C4CA92F6F0D,SHA256=62DE3FBFF4D57F748C66148440F32B540406DCC10EF49DC41A793F695AF0B992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160440Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:40.520{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F174B7426FE2ABFBAB0AA1C5073104AA,SHA256=BEAEB3CD662EB086EA36E973A50100CFEF9861BD4F76095586F43940F67CB23A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214144Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:40.248{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4307972BE59C600E37EFF1FEF00C9600,SHA256=2DBC89918A00BB42F1957F59F5B69CFE7758C787552A42F75E45006846505C85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160439Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:38.838{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52084-false10.0.1.12-8000- 23542300x8000000000000000160441Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:41.535{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027BF63FE015523133332495346497E1,SHA256=6C1DB79EA28E58AB6D8EB7A9EA8AD9250825224AFCA990CC73007651C10D8849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214145Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:41.279{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64106BBB6D8CFDABA3FDB3A21E2A4C6,SHA256=E54126D28374C9C77BD46036B8383FF53BA0E186A03BF30BE86B1FDB294B5487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214146Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:42.293{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA0FC569E9CD73B4BE5BBA35C7337A7,SHA256=6D187AAC24FD7DF67F1B5C2F0F2A0636E94FC419A97F15AA31FA95885F0655B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160442Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:42.551{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3343EC8B01B57AB5040AC1C26DB42FD,SHA256=2CCC14D5134E8A1229337DB5CAFB3DDD6257DFCF4195C5116ACD780AB95125CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214148Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:41.232{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64732-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214147Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:43.331{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CB041E1D85ECA2FE5A5B98A98FFCF6,SHA256=09CDC4C3905C5CE2BAE19463A461C853A1D2DD5713E220D8CDED0D18321BA10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160443Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:43.551{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AC5215082D9355B54FD47804D4F688,SHA256=AADA6295672925915CC7CAA8867EC2D6C050D4CCFF229E33940277616B45E887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160444Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:44.567{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609C2504CE6F4702A0D2AF3EE544179A,SHA256=7766F2BCB0A6EB3BAC2BA1DF9F887488A1ABC075548071BBA2DE323212C7AC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214149Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:44.331{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BC818381E77836C730D1C55C10791E,SHA256=02B04AC0F8AC5CE563289EF90D3BAB58B53541B31DE97642DDF9C2ACDD6E4EC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160458Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160457Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160456Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160455Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160454Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160453Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160452Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160451Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160450Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160449Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160448Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160447Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160446Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.661{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160445Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.567{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC3B7C9B11FE76ECC29368A75ED7E7E,SHA256=57DCB4BD9DF80E84C120D8826F9BF0E386FE45806D8F4315E1809DA63824E36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214150Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:45.346{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F88588108870E8DC5E0ED84EF9C2EE2,SHA256=F68C37FA10120944A79C75FC94622310114B2D5AD1F662765FC038AEE91C286F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160485Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160484Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160483Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160482Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160481Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160480Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160479Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160478Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160477Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160476Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160475Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160474Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160473Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214151Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:46.361{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400546B95DFD4E08A7F4BB5BDDE09D39,SHA256=B73DDD2B2388DF4688BF44A498B22707323D505428D6718E6C600B93C3778D9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160472Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:44.869{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52085-false10.0.1.12-8000- 10341000x8000000000000000160471Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160470Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160469Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160468Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160467Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160466Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160465Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160464Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160463Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160462Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160461Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160460Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160459Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.177{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160490Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.850{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7F27C7D7A07C395A43C7339A9E2430,SHA256=C3E3C20C9411058B5BEB9327FED59A92F65AE8F25BE387E339A118F59A67B99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214152Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:47.362{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396FC0BD9239D052E500FCB88AC611A9,SHA256=A68AA1C44D0E2B57BF953F0E7B4B3D151394078B2DD2FA44763BCA9264F26DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160489Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.051{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2DB466F63B69A2BE52625441C9D692C,SHA256=F51C525A2C4EC8763B35C991D79217A98F2A6CB8979DA4D1CE7303448BDA8EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160488Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.051{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2305109B1155570F123269343B4E24E6,SHA256=11A7E530096B5383C2D3BBEFAC2942E5006FE37FFB5D5DCCA871DD97C0E451D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160487Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.051{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A9FB1E5768591B12877286FBFAE14B,SHA256=CED20F72916066FA2D9F035ADBEDFD3C9EDAD4C185DE798A95C4920BF43344B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160486Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.020{C6197713-5426-6116-DE05-00000000E801}32441036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214153Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:48.376{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6B780E48BCCA06177DAE952A8D7A74,SHA256=2E783D667F1FEAC10C24A8AE8F4E65E9DCBF2C538333B1FA21694BC2B4B1B53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160506Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.857{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D3494ED45AE0C04657A0888854003D,SHA256=A16D43C902252F542792CE4D4AA6286F502487830B4DBCC8B9B8C7BF470B538A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160505Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.616{C6197713-5428-6116-DF05-00000000E801}3460220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160504Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160503Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160502Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160501Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160500Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160499Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160498Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160497Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160496Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160495Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160494Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160493Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160492Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.413{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160491Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.241{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160537Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.898{C6197713-5429-6116-E105-00000000E801}28364076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160536Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.881{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291697D67CCA8AE1DA070DC1466F5F0B,SHA256=F7C26EEE11E18941D8B36CDD0806350A816FDB42CF305CBA974A4F6E0796F3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214154Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:49.391{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD408DF702154BF3ECD56AF30C54BD70,SHA256=F1BCFD0BA8059B2CDD69BFCC1CC735B5867E826D7DAC96F16A1CBF3647D16A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160535Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.644{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2DB466F63B69A2BE52625441C9D692C,SHA256=F51C525A2C4EC8763B35C991D79217A98F2A6CB8979DA4D1CE7303448BDA8EF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160534Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.887{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52086-false10.0.1.12-8089- 10341000x8000000000000000160533Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160532Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160531Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160530Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160529Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160528Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160527Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160526Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160525Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160524Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160523Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160522Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160521Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.583{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160520Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.363{C6197713-5429-6116-E005-00000000E801}24042384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160519Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160518Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160517Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160516Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160515Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160514Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160513Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160512Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160511Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160510Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160509Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160508Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160507Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.083{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160551Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.881{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379938496260AA2A0C568D454E9891D6,SHA256=FEE352C07E4E8385D13E945396728B8DFB3793B6661559B4FC3C53F87D09728E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214162Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C206F231801E8982FF5C4EC9B27410ED,SHA256=D96764B55135B3B03CC06CB9E223BA3348F7AB217A9E8FFCD96BD19752BF9A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214161Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B4A09D2AE6175CF7AB77019DBD5E92C5,SHA256=7B3DC78D30C0576FAAACC20344B3943048F2256DC4BFC31D2DCBF08E44BA0053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214160Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=AA2E7C4FA956F6BF549B32B52C3A7458,SHA256=16DD5220A28DBF7E8826BB3E1A4F370DF5986D03E17D64406582DEEE79CC4C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214159Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=828C1F2CD1011FA312BC3FEEBBCDCEAC,SHA256=4578C7E7AB9B10CB13A1513296137B5D259A95202A6C72A8E2F87079935205DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214158Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=E581E741AC096B26D9DD6ECB92228F10,SHA256=F532275F5B93C4C0F4C154EEE7C2E44A66204B244DC0B0FEC7D1969FBD93583C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214157Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=3E1DCA3E6504CE60AF26E0D77082F377,SHA256=1C1336618A99491F62EE06F205276BAB6584F5F2E061DA085223D8391398FCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214156Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.409{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424ABE0708F5C197B4D0625EC4328E08,SHA256=6BEC62A52530FE542DF65A7DB2F6FDC13CC56660530012E6AE013A755F8F8043,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160550Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160549Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160548Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160547Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160546Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160545Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160544Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160543Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160542Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160541Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160540Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160539Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160538Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.085{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214155Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:47.215{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64733-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160554Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:51.897{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94ECD08D541E52D61A59116EE9E3F8E,SHA256=5279A46066B83C0655DAC403B906E9E30D84F3D91E172C00A8BC989D87568BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214163Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:51.442{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD6E089593B45C6AAFFB12B34C253E9,SHA256=5B79A82F0E77F130D4A8B2B53C943ACD50A668EB96F05186FFAFAB9BC18315CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160553Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.893{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52087-false10.0.1.12-8000- 23542300x8000000000000000160552Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:51.319{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05D38038BE98C4E499BB8D83A2C920FC,SHA256=4C00445A898855A9ADFA9C0BB5B802FF6BF1B8713F7A8E09406062C15C0A17C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160555Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:52.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9E733DA6013663E0651D743486AA5E,SHA256=8D8ADA51A86753618FD712B87A786DE3445BADFF7BE3EF3AC6A0971262A8A520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214164Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:52.457{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24FF53E6199E174D4B82C5882529324,SHA256=E4CD05FFECF7B04FE0F95DF92646AB540D52DD91E5E6698477DFCBD179883CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160556Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:53.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEABF2859A4914692CAAEDBDB60B6D48,SHA256=AEEC4C98DB5D8BB799122072BF9DFB1C317D003FCE1757B6B0514D70543B137E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214165Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:53.457{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C401CC0D3B37A29F7A954E5C19662D29,SHA256=699E45D2E04CDEB107EB76179C3530ABFFDB8921D42DE5831C145C838AC69179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160557Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:54.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487A73E39AE90FC8C817C6CEB91F6536,SHA256=E20B68CCD2941223733502C5F239326636DB3F83F5D9C517316092C991ECCEA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214167Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:52.370{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64734-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214166Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:54.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B6D38B89080FB5256B04EB34B3FC94,SHA256=86E97D4AF0DBADC25B0CF85B9BA08EAAE0811B08D38946D5E32F82B0131DFC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160558Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:55.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3F25A72A5C840158B36DF09AAF549E,SHA256=8D586C290F3B92B3E0BF3567E58A3A82BB9D8775E42B1E5321866B592799D04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214168Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:55.480{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83225359077D4DBF9EEC1C0974CAE62D,SHA256=510D0BB9016D7ACEF26921816C9D815AAC078E748EE9F505D9C381F15CE32A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160559Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:56.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376892D49D3C12E7CE0ECEDD8EA13031,SHA256=2F0E25AF1488C97AF09F35FD5F1E325D32A3FB8EAFD0EF76E765C9F9B1578705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214169Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:56.513{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA770EBB257B9D07444BBCF7118DBE82,SHA256=F7B903B48778811A61897F455D107D46DF57B430D51425F382D720F7C6E3ED37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160561Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:57.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7739A03E13F8876C87A3CCEBEC6D738,SHA256=326E0E93B9C9ECF6C386F4AF8142ED5B3590DF350580964EA9E62903521B54BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214170Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:57.532{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39BBD529896D6B6ACB8E6668F89F234,SHA256=AA38302BBF31771B4535F8BD884D01C172A104487D51B3DBF57127E35766468C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160560Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:55.700{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52088-false10.0.1.12-8000- 23542300x8000000000000000160562Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:58.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF875E9C32489F67CE074BCC7F05B69,SHA256=6D072D81BB9D05C717BAE8BBC29A5C99C79CCBC2CC02EF3842CA5B237AC0DF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214171Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:58.578{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09192A0DC422B2EB602627D64ECF1B1A,SHA256=0D16A9539B98C8524A4B7E7AE3FB5A8C3EE50E0C4A1C87212235AD5D903674BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160563Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:59.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94673D4D620946A59111A667ADD10C05,SHA256=66D17A0FE8CEA62B5D3B6DA7EB2D4377EA63A73816B1B56D66936ACDF110F367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214180Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214179Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214178Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214177Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214176Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214175Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214174Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214173Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.732{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214172Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.578{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC167C8EDB531BA648AB7590565815D,SHA256=D7B8CF399DACDD72A915A8A2BC49C8B16E0E2482A44725D3BC1FE32A3AEE507E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160564Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:00.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0801CD219575FB11464DA6877659AC34,SHA256=07BF7F529146337EB64D831BE54E11541260F46AEA522B3825251A6B69320022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214202Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214201Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214200Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214199Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214198Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214197Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214196Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214195Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.894{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214194Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.746{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D8FA1409ACA4084EBFF6227297E698,SHA256=91380291DBBE2708DD3316FEBE8CB95D034FDAE0F806F3C63860C74D005C5A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214193Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.746{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79A074304F1231387D862F8CE4012180,SHA256=C36E69777E50E21093F53B511FBEB319274B72FCD8B4D0B75C20C7569C44E2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214192Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.593{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E182865D05AB0D9AADD93D2512035BB,SHA256=D857C4F92BBAE49E3B17FACFB0E42CA2B0F59E3F219F07F8D6A2769E067E03BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214191Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5434-6116-E806-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214190Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214189Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214188Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214187Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214186Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5434-6116-E806-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214185Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5434-6116-E806-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214184Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.394{079FE16A-5434-6116-E806-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000214183Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.178{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\SiteSecurityServiceState.txt2021-08-11 16:30:08.892 23542300x8000000000000000214182Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.178{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\SiteSecurityServiceState.txtMD5=29871BC5D559CD54608CCE82897CA336,SHA256=1A2B4EC4BEC3643C8DDF8662A16670E6333D562D8FC57751D63E83466DCCF8BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214181Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.015{079FE16A-5433-6116-E706-00000000E701}66286828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214205Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:01.911{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D8FA1409ACA4084EBFF6227297E698,SHA256=91380291DBBE2708DD3316FEBE8CB95D034FDAE0F806F3C63860C74D005C5A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214204Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:01.661{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1089CD7970EBF572EE8BEE2B4669FE,SHA256=1C9651FED9F6F1B0E268CDD21D28B1D402CD9CB1B41577F18532EAF16E9B4C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160565Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:01.959{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7B80CEB452CD1A14CB4C36078A458A,SHA256=1BB9CEF62598CEE5B1D973D6084545AF791E3AA7F9CDB0603FCE3040F117AB8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214203Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:58.185{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64735-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160567Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:02.959{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3EC7302AAD6C9EF0A0C31F70B39B57,SHA256=546E14C9B943666941D89C82CF2111C9FC4A80CBC71B4A2425437326A4B3CD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214206Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:02.676{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2806D2D503233FE768CEB3F2272164,SHA256=B88AC16B090BF5427FF3E0F10D121B832F56A4C31B444EDE64719F1EF98EEE3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160566Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:00.763{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52089-false10.0.1.12-8000- 23542300x8000000000000000160568Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:03.975{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF389F71244F7AC1FAB7DEE99FF559F,SHA256=CD335B8AD59A55A8F8B376CA16148922C0980821FED68CD54FF3262DA3658B31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214215Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5437-6116-EA06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214214Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214213Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214212Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214211Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214210Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5437-6116-EA06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214209Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5437-6116-EA06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214208Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.776{079FE16A-5437-6116-EA06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214207Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.690{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B97BD9C4556F2E2D8F9A4F9266B1CB7,SHA256=628DBC8BB3B72CF7B70A942750175F49322E19C74624B23E61FB91D282AF1156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160569Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:04.991{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AED5BBBC3BB4616135BBEF31DB1F3E,SHA256=EAD84F29D27FD4A69F84BCE4D226F2FC38B5B03CFE65F94A0754FA8A74ED4624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214227Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.696{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2901FADFBD10B50FD17B37BBF46842A9,SHA256=FC47EC79802C6158FADD2DEAE2DF7D2B984453265265FDD284A08D3C308825CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214226Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.680{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F16BA55FA83C03CB195D74985DA3D583,SHA256=4676870169A243A9CB5F773BA680EEA982B81E4BB673B6D33D9DA5388414F644,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214225Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.658{079FE16A-5438-6116-EB06-00000000E701}61806172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214224Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5438-6116-EB06-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214223Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214222Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214221Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214220Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214219Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5438-6116-EB06-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214218Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.379{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5438-6116-EB06-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214217Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.379{079FE16A-5438-6116-EB06-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214216Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.180{079FE16A-5437-6116-EA06-00000000E701}39244456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214247Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.983{079FE16A-5439-6116-ED06-00000000E701}49127008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214246Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5439-6116-ED06-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214245Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214244Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214243Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214242Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214241Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5439-6116-ED06-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214240Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5439-6116-ED06-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214239Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.731{079FE16A-5439-6116-ED06-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214238Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.698{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42359651115686F71C74C41AC1FD63E,SHA256=66CDA6C513537EA934D01D4FE3DE8F121AA01E9553E5480CAB54650CEAABC93A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214237Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:02.783{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64736-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214236Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:02.783{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64736-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000214235Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5439-6116-EC06-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214234Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214233Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214232Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214231Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5439-6116-EC06-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214230Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214229Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5439-6116-EC06-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214228Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.059{079FE16A-5439-6116-EC06-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214249Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:06.714{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50B0ABA44627CD2E24C58981D870CF15,SHA256=863404F2BA1E856E11DEEBE46953680C10D74FC78F3EFD88834029FE892C3DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160570Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:06.022{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB83D676D4E3542D1E44512D399C18DE,SHA256=D06C057A28FC300E3471D1DD94C78230E57C637E6E3689ECA2F321955C296756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214248Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:06.081{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05261178859E385C26258A766A133C8B,SHA256=512EBBCC8D45C338AEBFF66476AF22D884CE442F5D16E3F0E55A83ABBC4EE1D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214252Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:07.729{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB564506F6B723C4EA85B45EA60AB19E,SHA256=70125C5F45241841F018391E5CFF0A35B9E48B281EBEA28D66107097E611A5A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160572Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:05.841{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52090-false10.0.1.12-8000- 23542300x8000000000000000160571Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:07.053{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8C932BDFF482A41B1DD6970FD9A9B7,SHA256=49B757CF87323BDE823118DB654849C6175893C5337302D2934D6874CD67DFF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214251Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.182{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64737-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214250Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:07.014{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-2850-6116-B600-00000000E701}3524C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214253Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:08.744{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE5C2B1CE5849F4CEF6A9818F25EB02,SHA256=E76987FEEC5F6FDD89F435DA2989DC4EF4D574FA51D65252A36F687A78EACD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160573Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:08.053{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF6BE1FF06FA596D17C2BA84AD34A59,SHA256=F160775008A4F69C46C09E23C82F205EE774E543B76C56B893A36692A743E84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214255Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:09.759{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA22F90C3C6C507FE2C312BD38FEA315,SHA256=4941105C930A18EA906925151E2CDAD92FE890835A694104BB579EE4C99599D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160574Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:09.053{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F50B4262CEA36F28BFC7D56D71BDE6C,SHA256=9E4FF759BCFC87B7FF59B2CABC4DCB33EF579847EDFE7142EFEC641D144E092D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214254Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:06.185{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local50210- 23542300x8000000000000000214256Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:10.777{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624B365E28D4C1DC7FF513DED3F1DF93,SHA256=304B51DE23EA4FCF6347D66DB40B1D654031B00788756F44465A17F385521BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160575Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:10.116{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647946E6870FEBA0CE98D4B1FC910990,SHA256=1D062F2F1639FA8899A56F8EF5E5F06C7767DE91B038B29A276BBC76F3C42577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214257Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:11.794{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD4A2D8026802499D4F8E8E766FD62F,SHA256=62F277897A350FD6D5676B19D692099C798B9A6B6D95ADE186B6911A6EF64F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160576Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:11.163{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5165DAA50B9023F39B7AC5BB1CC7B86,SHA256=54B5C2FE13FD71A4358D35A5E3A799E36B42887B7343B7F4F156C0A46AC9C48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214261Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:12.841{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A077CACA9268F433C70B0320C1213B6,SHA256=34D83A0689B30A331B6CBCE54E5CB0F7BE72DD8CC1002DD68B8442ABEC2F3CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160577Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:12.178{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B69FF3E390AE790C3B0F2959B7A007,SHA256=8A9D71F79F9A7B02D44AB2B8C99BFC8CAA32D65006726C89866F703323B98A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214260Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:12.457{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214259Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:12.457{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=F0FFAB7ABD4D6ED03D0F53EF5E8054F8,SHA256=8986CC447507D3D02943F189D36AA1BEE5BA2925878AD06210C7EA5F13323C70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214258Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:09.319{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64738-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214262Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:13.841{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A780DB2FA90DF634424273EEBE5FE722,SHA256=C502B86231DDC030B44572A3EE5EFA7736D6B3F06A4FC67BC127AE36C6ACACA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160579Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:13.194{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2379E1360B1B97DC57F640A005D9AC98,SHA256=627E14FB806D478FE1FA75C85D88FA3D9B20D8565EFD5DE6EF711CC08F06D650,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160578Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:10.903{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52091-false10.0.1.12-8000- 23542300x8000000000000000214263Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:14.856{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E1884D806673B0475B0CBC8D9EF1FB,SHA256=38688F5EB3A63E3C425C9B5F934AB5E5F5264A642243E7089E029832918684BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160580Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:14.225{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9511AA083441E4D53C409470B075154E,SHA256=BB13480C7B6DE48AF1D13EAF760F035A4B58ADC2DD3521F7E9A3260162023661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214264Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:15.874{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD672B454E787F6E7877D0A2F6E2E4D1,SHA256=31AF901E85E325D8A50C7BAAEBA118D391C24BD9B550BC46B4FB00858635098C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160581Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:15.272{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5E67138676582C04EF7DFEF327E05C,SHA256=8939B032722EBC0646C041FD94E7A13DD11CA0BF28DC2ACD227577C7A73EFC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214265Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:16.894{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE7047E38773C4E4EAB1C3A207E90CC,SHA256=D898585BCD8F19D00E00F5F2D6D8BC3C914298E20B91E503DD29E301B9552E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160582Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:16.272{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CDE22D47CEA6AA3F94B08330622221,SHA256=9F03902C30937C72D87FF70042920792AF197A9079733B29941A173B937F5D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214267Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:17.909{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44860B64EA8576DA3B3DB5DB09A161C8,SHA256=E2B42CB0977EF55FDD217B0E37B829DA6E75DD8005151441D3A3566A53F46C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160583Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:17.288{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7CBC5C43DA87CE1DA35EF6B7471909,SHA256=25F5AA76A311C3E3B92D3CC92E457F3C36854873A641EB225327E7785CC836EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214266Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:14.332{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64739-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214268Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:18.955{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB018587332F752904F20B8C857BD16,SHA256=270F804584C5E67E462D12B45A237A54ED2D3145497DC16C40C52ABC5A24669B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160585Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:15.904{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52092-false10.0.1.12-8000- 23542300x8000000000000000160584Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:18.303{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D74521940BE9F6F313D351CCFC75237,SHA256=077A8C0F5743FFEBFDD2205B417877F8BA67C7A08F07D349C66BD19738C04830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214269Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:19.973{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CCCE8E05B8971ECF48F2FDEBD7EA20,SHA256=676B26DF676FB5430E5D91B4C1A03822EC0DE3F41B8C557FE39EEAA5A901D7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160586Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:19.335{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA3883C60B837CB1DA109D4F6088339,SHA256=436C5C64BADD5D5CFEC02644B7E60315AEF69A739F620D464D923EE41638828B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214270Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:20.991{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF7B3F9152FC6B08A3B55A9D8A277EA,SHA256=8BB68ABF7B821A616A3C190BC8F9497E615BCA0F215DB9B6A2C30DCCD4B549B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160587Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:20.350{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED5814792E25668EEDE14FDCD512C48,SHA256=A02B78274C267364CF5A7588AADEA9166C289FAA95F489B98CA2A694E297D588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160588Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:21.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67E2AEAF1AE8FB073067EACE78EBD38,SHA256=C81458992B1208D544EF4EDE55B2871A7064CCFFA41D415E6638F2237C06C1E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214271Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:19.347{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64740-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160589Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:22.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C290C3113A61306F81F2AB3B9726F9A3,SHA256=72244E0B2B938C70A56F45ADBC641FFEB2E2CAAEBDEB48420A267240D3173122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214272Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:22.006{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752EBD9F0F8152CF58207725ED0AEA08,SHA256=6026864612C0A95A50087EFDF7D2598AEAC260E0589AD0B919348D47663B618D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160590Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:23.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5F59E1627D8E11E2E5E8BF98381F7C,SHA256=78B41AD931157EA1072067B720572881DE966C9F9AB43C733F7F8A59E8245115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214273Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:23.021{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0EA640F22BD9C6430E3F941BDF21BE,SHA256=0936F1749A6286986796BFCC48547B2A7C52A3D33A33E06B6171E8540221BF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160592Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:24.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5F34D3D9370CB6936FCF86D8C39EA7,SHA256=D26F92E65584C624D4B74F737848F63722B4D602369FD1ABEBB9080DA0DDE737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214274Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:24.036{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC680A670E1DE9C8D5C939624E4F07A,SHA256=16BCDC418A9CB88ED03802974739283BE0448A814E23DDCD6CF72EAA8B8748B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160591Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:21.872{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52093-false10.0.1.12-8000- 23542300x8000000000000000160593Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:25.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32A2D095CB3ECC5002AFD64912780ED,SHA256=6214E17961B832851302A510E9BAC48028A193DB6D104F505AFD23CB8FF6E9EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214275Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:25.036{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5444EA6F7BE02F91C3AF0BE71C1C6B48,SHA256=4244D7184D6FFE970DAC322B2C9324D8C4387F6EB6D6ED5F1BF0D2B60347AEA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160594Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:26.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775210C18840CBDF9ED91A7C9A40684F,SHA256=D777E695CEEB13D112FE8DC0EB49E4B2C540AFB7C0E56D17ADA1A8DBE9E8D161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214276Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:26.051{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C27B828A687CABC55EA88047101276,SHA256=268D143E2140262E5360C0D14C6A2F727ED43150C0EBA2DF2282BD9811A25FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160595Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:27.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66444EE008493E9AD08FFC39AD4F391E,SHA256=2FF5EE32519FB3EB919ACD3E965F2A93AC8AEFD5026499B8A4C9CC3339C8B5DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214278Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:25.374{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64741-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214277Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:27.068{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E19BBBB7696A35DECCA0E4B51BCBFED,SHA256=5007B30A0BD553622A36DD0D4E5D526E20FC560EEB4850F7F42A5541B7F04AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160596Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:28.397{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA96086678AAB3D394E5BC860EF67F9,SHA256=10FCDC5366F952D2CFD16E50A17CDCC58EC50D9C88C4B6F5A15C07A6D273A6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214279Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:28.103{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCE8F153CB3C9AA565C832CB8CBD3C4,SHA256=3C26198EA0371CA9E8223DF24F07BE6955D129229FD35D179F86F1D472E06A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160597Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:29.397{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF83FB99E8923B1236481DE2D2883D3,SHA256=7A78FE7C2D7C860887B8DA43D358D3588434C4C3E757343DF717C91D05AFEA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214280Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:29.117{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDF336185FDCE31F4EE18290DE5F0F4,SHA256=4360AE0C28BD26F278DBFC4D67DC2602F1E0B6E8A83628CDF93B12A42BE81811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160599Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:30.428{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3560947A0CE955E4DFFE5169788DADA,SHA256=4298D7637C7EE8C8A83BCEAE0FDB726919FD03B9D5676453388B9DB5D7A28A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214281Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:30.148{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A87322D4963A77FF5C5F008F623A056,SHA256=02FF5CB569D3F29D5831E009E4D23BF48D7D2B39A2CA46CEB5E8C18C71E30D86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160598Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:27.732{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52094-false10.0.1.12-8000- 23542300x8000000000000000160600Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:31.428{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478C375BCF96F81CA6EDEB20E5BE7479,SHA256=3FD72ED6D6F907A6E6B635AC4E3D70401106029CD3913FB665CF028475C403FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214282Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:31.166{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77871B1F8C7BB07EEFB4CE5AA1CB7629,SHA256=E3BB4BAF3D8B9B06E16F1DDC6C6B3CA92BD491BDA85914F232BF9EFBB9EB6042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160601Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:32.428{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB0CDB1E5E66EC3F369916C40EABE73,SHA256=8B6271DFDEDA0E8A80766322C9EC49CC10CF133A47AC44D905414A99CE4DD5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214283Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:32.187{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F5934E65EAF3F675A00C144E16885E,SHA256=66045B52A6B8FD9D88D00C96050B7110C24253AB1724590A6E220E2FB75F1E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160602Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:33.444{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDA02904A973B305BE7463A533CD731,SHA256=20C2C721CF7CDEF73592A73249944ADD8C8B250C68CF2F4D274FA6E6894B92C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214287Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:31.189{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64742-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214286Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:33.217{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85598CA1BA3C6A5CB36EBA0515388D30,SHA256=2825CD2F514AA12F9EA4FE942E71ED35A7C02EC9BD42CF1B04CA8DC8A8FA0A14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214285Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:33.033{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214284Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:33.033{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160603Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:34.460{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE48C3B6C817ADBACC2A0D4E819B08F,SHA256=0E83E35F4ED0B8FB956E3E3E3911605B51398EF4B0573F9EE3688B31B100BCBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214288Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:34.247{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9B8ECABC9385D845E5E9893ED5D3C9,SHA256=E91021800E551D4136B1343DDC0222376612FFB4ACE968558F9777BFF07C8DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214295Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.830{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=A699B259693935B7C19D9A0732228028,SHA256=273B72E8B07240902ABC3AAA8DEE3127A534890BDD3730104B9CE8BBC3982E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214294Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.830{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=1529A9B69F925BEE61316856814EE0AC,SHA256=26C0FF0F4B0BCE9804174343B845CA3970AD4C593CA0F5AD060B8DBF36B2D134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214293Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.815{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8A73D5D8E4AA094B13C497EE9F79FF6D,SHA256=4C3BC6755BE4A0CFC40E5C9696F43335AEF0CBF98A046E4D94DB07D9CFD9FE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214292Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.815{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=6B7454562D3DCDB12914DF5FAD082C31,SHA256=9954E004B5E06AA0154790C03C89DD97BC6942E4CD797BCE2A0EEFF2179302BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214291Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.815{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=F8C97F9190D4BCA0EB87F8A410EE7E84,SHA256=A2C672E85D02776F29F9F36837C1D57476BD666D2368F8402D0B3BB9308D1FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214290Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.815{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D2235BB0677190430917743ABB328AD6,SHA256=717D6D0D530D3FA9AB5169AABA461254FD6F9A42256573FF06BB00F825CAB779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214289Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.264{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3695AA390101D6FC4D7DA4258F7474A0,SHA256=CC2B13ADB0F0E742F7F44201BB84A87B9C426D9E54F5E6DC24E914A1250633C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160606Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:35.459{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E89ADCA7A04B89B9A3F9F2AD14752B8,SHA256=994E359C8246B961C33E1EE41BEEF06A1F2A408C1D714EB0C32D01990A7362A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160605Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:32.888{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52095-false10.0.1.12-8000- 23542300x8000000000000000160604Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:35.288{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AB77899212E693F0D9F06882AFF93903,SHA256=89D5D7628E6058597EEAFDA763D6A3A6AECCDE1B5061265A80764E3DFF23DAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160617Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:36.461{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E36D3F2B4560389B80309EA6D28906A,SHA256=906766B9CB099187A9035D721DE6F12C09293EF476F0C7B93424B3D4CE20D77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214297Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:36.861{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=222FB6676401E3A7CC73741666CF7F5F,SHA256=CE7C1C271E79113868C2FA12FB7D95784B5D068A402656AA438FB7D706428892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214296Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:36.282{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DD3C677A657BDB8EAEDEC740AC545C,SHA256=F0DCE57771FC0216F2C1BBC8EFF0EB93D5BA26FD060DF40B9513FB9EEC3BE29E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000160616Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000160615Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b2a0a3) 13241300x8000000000000000160614Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0x2848b67e) 13241300x8000000000000000160613Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79034-0x8a0d1e7e) 13241300x8000000000000000160612Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903c-0xebd1867e) 13241300x8000000000000000160611Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000160610Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b2a0a3) 13241300x8000000000000000160609Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0x2848b67e) 13241300x8000000000000000160608Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79034-0x8a0d1e7e) 13241300x8000000000000000160607Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903c-0xebd1867e) 354300x8000000000000000160621Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:35.486{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.201.15.93ec2-34-201-15-93.compute-1.amazonaws.com54706-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000160620Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:37.476{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B5E2D441CDC7A84BE61F2C7139E4C5,SHA256=420370D6F78213912207559370475F530BACAF7C06C4E1BB2D9D5BDCA40FDCF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214301Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:34.929{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.201.15.93ec2-34-201-15-93.compute-1.amazonaws.com54701-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000214300Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:37.297{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B85504EA862FEA314F6BD57D09ABA9,SHA256=FD184076741E75D190175B7BF169E1F0CB7CD7AFD7564D4E31BBDC12CF7B1214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160619Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:37.195{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB20A77EBE152776B41BA08D2968F685,SHA256=98F06922E4EC71B268A882CDD314E41D9492ECD5805AC2B6195F9EEE060885A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160618Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:37.195{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5FAECBD23E16F57E11721452922017A,SHA256=4D4375B0FB0A9F1F107905C5BA6AC3E6984AD2A18F40F0A246F4B31C6C97C27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214299Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:37.197{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D389D6FDF119B44DE5140B3E6217FA7C,SHA256=37E3E263ADEACE9392BB39DC82DB3FD20815BEC2E4EC125B63DB64C57C3CC6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214298Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:37.197{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4072E30214CE27C9F07D501E4F4EB25,SHA256=6C3E2F8AF7A54611C4024CE521199ED6C4C08F6BB79498BE56BAB4DBB8BB0708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160622Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:38.476{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453F6AE4E6A978F01D03CE3A4F3AE83C,SHA256=6CA1B0C859F68748BA6AF2546AD2F24A48D8736ACF8FEFC3BDDB320B92E00D68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214304Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:36.287{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64743-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214303Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:38.680{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214302Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:38.343{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901F1FA25A15C319AB8F91AEE06ACD1E,SHA256=FD3E8817B67F5F404A01386F58DD9FC4018E62EEDC14C3057C3D8E3D3705917B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214306Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:36.942{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-414.attackrange.local55171-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 23542300x8000000000000000214305Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:39.395{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087A09DCCB45AF4B9F3CC89339F97C0F,SHA256=042738DC78FD487742F86E0CED39C0959125AD071B00D96F04088EB0DAB8CE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160623Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:39.476{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CB75C127B139EADB21EEDBFA15873B,SHA256=C4D067AFCF2D25791BBB7C760929A77AC09D55D1DD5658E355D496DB72A3E639,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214308Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:37.782{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64744-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000214307Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:40.409{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC0E58160CF26EAAC802ED59B0236A7,SHA256=0B237DD34E962B3B1FA3E72F064648D0CC2968A2EA6F44706BBB4702133B3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160625Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:40.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD40DCFEA75019291C8B78AD9222D6F1,SHA256=27F48586784A53E4E7A32742240E7064419CA9D1F5DC000E19FDAB9DEDF4DC72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160624Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:38.765{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52096-false10.0.1.12-8000- 23542300x8000000000000000214309Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:41.422{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82092F1F79E17DEF6A0764BC2A66596,SHA256=DF6AD45F8DEB2286B78B2929FCD9275BF6AB4C6C929341DAFB8D25BDD77AF42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160626Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:41.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBE58BE6865D88E27417DA5F34AC5C1,SHA256=843F16506928B964A476256AA17D1CE40C4B6CEE0045BEA7A8584D6FC4ACDB60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160627Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:42.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A822203B26F57E6CA7EB13466CA0BFA,SHA256=DE1FEF44AF911E8618B7444ECE732AE45F153983C8A23857CF0D028AFAB50F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214310Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:42.424{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6A901D784374ACF7CDD4DE18DD2181,SHA256=28EFDA7603E6664A5167FAAB5AAE7C57BAC96C3D9A70B9C66579187E81DAB8D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214312Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:41.348{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64745-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214311Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:43.455{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBCDBAC19EDBAEC422FC9255C2BCE10,SHA256=6BB6341119244A86706713A0217CAED12590EF2D11A294FB8C82A0D80FB3AC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160628Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:43.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F98A919C6C8600F150CC6994B3D676,SHA256=5B9BE6D3321F6AB5E85389A24248BCF7EDF4A9273B1FCCB2D027A8D901DDDD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214313Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:44.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F16B36ABD20EBF55B9A14FAA7995CBC,SHA256=D3BDAB89BB83773623042FB9B0331EB32F9139D08ACF91AE1FF44B69AFF09DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160629Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:44.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A485E1A155ACB36CAF495B83D4BCCCB,SHA256=857041909A0605B622ED96ACA2E9BFD7467E4B573868AF880BFD403011A3A9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214318Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:45.922{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=538B5AD62DF83C864A7C77AFC5DAC0E3,SHA256=AAFDF6C4CE4C3628D1A6465DD6ABC92FFBF70B66F9189D7DC26AD3938BD779E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214317Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:45.922{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D389D6FDF119B44DE5140B3E6217FA7C,SHA256=37E3E263ADEACE9392BB39DC82DB3FD20815BEC2E4EC125B63DB64C57C3CC6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214316Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:45.775{079FE16A-3124-6116-1D02-00000000E701}2972ATTACKRANGE\AdministratorC:\Program Files\Eclipse Foundation\jdk-11.0.12.7-hotspot\bin\javaw.exeC:\Users\Administrator\lockbit.rep\idata\~journal.bakMD5=DB2C69A9D2FF2C7E15545E94F891DB24,SHA256=508A623EA51ED8B89D1CF018DE7F375534291B82F2FD8286D305B68D54A649E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214315Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:45.775{079FE16A-3124-6116-1D02-00000000E701}2972ATTACKRANGE\AdministratorC:\Program Files\Eclipse Foundation\jdk-11.0.12.7-hotspot\bin\javaw.exeC:\Users\Administrator\lockbit.rep\idata\~index.bakMD5=F206172C9A776FC9834ABE664D766F07,SHA256=AFED071B228A87FBBB18D8BF39667792D6912C1D1AD2EA2F4F41DAC320DB8B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214314Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:45.507{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99DCF3613CAC7D8DB2D7B6D61C3F5AA,SHA256=8B2B807D0543E14E12B294BF211C9CF09EA1BB8ACA53EF07C647704AE642C3CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160644Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5461-6116-E305-00000000E801}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160643Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160642Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160641Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160640Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160639Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160638Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160637Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160636Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160635Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160634Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5461-6116-E305-00000000E801}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160633Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5461-6116-E305-00000000E801}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160632Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.665{C6197713-5461-6116-E305-00000000E801}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160631Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735636C0670D5DC8D19BB3679BDE09F2,SHA256=B00B3B180D4403B4D92D75A86C831751E4EBA2B1B4412E47D075CEB3E2B005E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160630Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:43.843{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52097-false10.0.1.12-8000- 10341000x8000000000000000160673Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5462-6116-E505-00000000E801}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160672Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160671Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160670Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160669Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160668Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160667Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160666Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160665Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160664Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160663Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B00A19E075145EDF03F37E57149755B,SHA256=CADDCC273FA8018B5FBA47CA5D028CFC3E7407D6AABE5AEB9BC8F57E0E8CFD66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160662Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5462-6116-E505-00000000E801}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160661Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5462-6116-E505-00000000E801}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160660Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.885{C6197713-5462-6116-E505-00000000E801}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160659Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1C1B61356AB2396F07451741F949C7,SHA256=62B986BA2AE84B001BAF89C4285C24B85AF28F237A8AC32FC56A92B3B23C8CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160658Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB20A77EBE152776B41BA08D2968F685,SHA256=98F06922E4EC71B268A882CDD314E41D9492ECD5805AC2B6195F9EEE060885A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214319Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:46.524{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DD265F0294A336771497A7E5C23555,SHA256=8A75036C9854C34FA1A0396818006B903E56695927594D8AABB2298DDB7D91E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160657Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5462-6116-E405-00000000E801}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160656Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160655Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160654Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160653Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160652Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160651Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160650Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160649Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160648Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160647Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5462-6116-E405-00000000E801}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160646Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5462-6116-E405-00000000E801}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160645Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.337{C6197713-5462-6116-E405-00000000E801}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214320Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:47.526{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C12FD75D1EBB22CFB6F4EBCD5D8134A,SHA256=E24289899E8280FB7206554E190B4AAB6ABD7C7062F2882C2A370761D192B592,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160674Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:47.070{C6197713-5462-6116-E505-00000000E801}31121196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214321Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:48.541{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885EA85D1C978942CF6449E7BAE16BA0,SHA256=2409BA6D0E94A66C77CC6FD48CF67EC07CEE72076506D167AF4FC5700254B86D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160691Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.586{C6197713-5464-6116-E605-00000000E801}39881264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160690Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5464-6116-E605-00000000E801}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160689Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160688Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160687Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160686Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5464-6116-E605-00000000E801}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160685Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160684Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160683Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160682Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160681Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160680Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160679Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5464-6116-E605-00000000E801}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160678Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.415{C6197713-5464-6116-E605-00000000E801}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160677Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.258{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160676Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.101{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B00A19E075145EDF03F37E57149755B,SHA256=CADDCC273FA8018B5FBA47CA5D028CFC3E7407D6AABE5AEB9BC8F57E0E8CFD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160675Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.023{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD29FC6F5EB43A753B9F3D0677701752,SHA256=0A50C09C9DBA4BCED521A37906BEF5A926B7F0DD29BA114203EF99FEA2A493FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214323Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:47.134{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64746-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214322Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:49.555{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DBC75C969E1D1123CB51EF3BD6DB1A,SHA256=424A87B893D5F55B182247E4D0B0F19D0EB54BB5E2543F43B080425C48F6DE72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160722Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.773{C6197713-5465-6116-E805-00000000E801}2656344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160721Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5465-6116-E805-00000000E801}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160720Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160719Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160718Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160717Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160716Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160715Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160714Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160713Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160712Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160711Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5465-6116-E805-00000000E801}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160710Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5465-6116-E805-00000000E801}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160709Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.602{C6197713-5465-6116-E805-00000000E801}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160708Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:47.906{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52098-false10.0.1.12-8089- 23542300x8000000000000000160707Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.414{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB05BEBCA2BF80B94E520FA408F48B01,SHA256=6B0B9B8180B3B5C8552ED17841F005F0694E28B6A65A8E9C848BB9E52713164A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160706Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.320{C6197713-5465-6116-E705-00000000E801}33643960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160705Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5465-6116-E705-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160704Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160703Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160702Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160701Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160700Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160699Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160698Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160697Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160696Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5465-6116-E705-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160695Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160694Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5465-6116-E705-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160693Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-5465-6116-E705-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160692Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.023{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2575586B7AB7C043F28E19E320EB59F7,SHA256=09C4E051A8214F224590A7E9881797FFEA1090CFE5A90729544B85A522753620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214324Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:50.608{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54742C616E860580EE619227F23405C7,SHA256=17584F34CC4D771BBA9989FA0FA01CB9DB14D578D319326EC3CB6AB3D312F923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160737Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.807{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A92EDA364EF22E9BABB2FB50B9B15BFB,SHA256=6B57E26167FCC6D6D4092D8FC870A33A1A8216F61AA9C9F2FAD262EEF7D33432,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160736Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5466-6116-E905-00000000E801}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160735Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160734Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160733Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160732Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160731Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160730Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160729Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160728Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160727Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5466-6116-E905-00000000E801}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160726Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160725Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5466-6116-E905-00000000E801}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160724Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.153{C6197713-5466-6116-E905-00000000E801}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160723Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECF224D94D4320ED2DFD196CB5B189C,SHA256=F7C17A533D0E606CFC6C3421C93D62E71EBAF63E45EBA329E6B24EE9CFE80FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214325Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:51.653{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198332660FECB2C3A05DDF776B403187,SHA256=AC2C06236DB04AE549009164753398C8960EDA57ECF2716D228C697E39E8BC61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160739Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.705{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52099-false10.0.1.12-8000- 23542300x8000000000000000160738Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:51.372{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234EA363F496BA149C32FDED42D50540,SHA256=303AA12EF8A2F5EBC6EBE7C0F5B6CD67F1DE134BF821EA75252CA17AF4D65682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214326Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:52.723{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510CA1FB30F11BC7B8C15F99DBBBB9E9,SHA256=12CA99D19056092C3816710AC61228882C36DCAA440DE5025B02B355B9D54D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160740Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:52.372{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD48D0C7D64E94B81E28233B1E3A0F2C,SHA256=C554C0F7D59FC60088CF97FC6B93804136AAD5426B346990B1B150749A1297F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214327Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:53.737{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F0418676771B14390E7EDEBFB319FD,SHA256=AAB187282DA107E4969D0A30B9D56CAB736516C40F0B148E1300FCF73F8B9BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160741Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:53.387{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111FF0D84A6BBD13218A341FF0363C0E,SHA256=FA39A8C600E19E24EB0769663093254B0A1FA3DBD9444BFA3BC95E9E4961C2E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214329Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:52.162{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64747-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214328Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:54.770{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1499224B006855913C7F2A3F602619,SHA256=D12947360BAC50B8D4423EA08ADCA2E7498F1D2045B98EAA8C1C7A9C1A71BAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160742Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:54.387{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE94B668080A6BBEF4719B89AAD26748,SHA256=D6A05F3789024822A05E4F822AFC6A270CBB705048C7BC98049B53D7BA4BB3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214330Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:55.788{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40F28AD8FA89C272BB08C48FD05B282,SHA256=E7F670C0B8B455C0E8DBF3004EF42447B0108BE7FC9FDB5CE13FFAE95BE06AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160743Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:55.387{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F1EDD30A6FDBF44D99642D0CD0984A,SHA256=F71ED24DF48B888532EE7381FEC319F71841C678B3A838EE08FA77A5E8B93FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214331Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:56.790{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5222765D73B3A4B2AA8B658B71982D65,SHA256=27A6C18412E2FF6439280AD62D85D5296400ECD04C3C1D9103D95D41C4B7F609,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160745Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:54.926{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52100-false10.0.1.12-8000- 23542300x8000000000000000160744Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:56.387{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A25FF4864C13BEDA6DAC95DB931116,SHA256=7F134D6711F838065EB75A9A487348EF5A5121E7E0EEA507158467A1F5DD4C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160746Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:57.387{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C15808EC295FD4E216880947EF0F69,SHA256=0AF9CBF51CC992969F281CD6483FC8143D3A5DB3A5BC2DBD0B8F3DF4F70FC254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214332Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:57.805{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAE1CC214F683852520FF9E50644B43,SHA256=1C77111C69BADDAFD1EDB006BC0119790EA3B52A84A7B8EA0A20CF9224921D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214333Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:58.821{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D21CEBBA774D7E77D9064AE70BF851,SHA256=C2AA0FC807DFD766406B75DFBB12EC62AA7AA3ACD1782784CE4F333E8D4E8882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160747Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:58.403{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3247AE8FD7512A5DAEBE7A99A6C64F,SHA256=64FCDAA91F3EDC6F89DE17F651461FAAF94CB407DF176615AFDBCC2808B96F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214342Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.836{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF900DD9BBC330A22BEE4EFF976C19B,SHA256=9B0C419EA4145B39A6F4921ACDFE635AD340BA84063A8E7EE6117EF52BEDD3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160748Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:59.497{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC83CE776D206DAA7F89EAEF4ABA343A,SHA256=C2F345D320C670A58277899864FA69CCD89B2FC81BDBD7BBB6595394AA81C5FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214341Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-546F-6116-EE06-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214340Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214339Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214338Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214337Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214336Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-546F-6116-EE06-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214335Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-546F-6116-EE06-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214334Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.738{079FE16A-546F-6116-EE06-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214355Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.846{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA7DE9033BD05CB9BB6B780AA01B7C7,SHA256=A056D7C3FC6B22E5EF41ED279FFBA56B7645F11582BF6A589ED73EC31B43017A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160749Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:00.512{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B42C4FF55C70052BA42549C12344F57,SHA256=803D5566949971A3DB1D7D7A39BD4252BBAE09552866BC82D20635561645B20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214354Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.748{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=672168D36C509B367196C344760D5F9B,SHA256=53997CA7E6BC234E39F3248C7F9C49A0754DE8610B20041E3CE95205616D6832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214353Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.746{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=538B5AD62DF83C864A7C77AFC5DAC0E3,SHA256=AAFDF6C4CE4C3628D1A6465DD6ABC92FFBF70B66F9189D7DC26AD3938BD779E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214352Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5470-6116-EF06-00000000E701}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214351Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214350Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214349Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5470-6116-EF06-00000000E701}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214348Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214347Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214346Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5470-6116-EF06-00000000E701}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214345Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.610{079FE16A-5470-6116-EF06-00000000E701}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214344Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.138{079FE16A-546F-6116-EE06-00000000E701}52604896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000214343Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:57.230{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64748-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160750Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:01.559{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE2A4CDE4C28D28D6C7F669464A69D6,SHA256=2934C87058F3BEA23588B0FE97EA7605EEC5CE14E362616981E39D4938C1D375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214364Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.861{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4301F62B6D90F4554615375D2E5A395D,SHA256=DE5E2D5FA7EA0A3F63B746660A44191D0C15965437E913120C3818F2E62354FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214363Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5471-6116-F006-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214362Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214361Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214360Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214359Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214358Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5471-6116-F006-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214357Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5471-6116-F006-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214356Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.479{079FE16A-5471-6116-F006-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160752Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:00.723{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52101-false10.0.1.12-8000- 23542300x8000000000000000160751Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:02.575{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC713F49F7CAF7E0268C87E6DFA6783,SHA256=2C5EF9DB76F0E33C6DE9EE6C385DEF7BB37ED98250528FC03DA536FD536F31CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214366Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:02.876{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24050DAD5D626A537F9CFC423C2428E,SHA256=F58BF3C3D8A566400F0BCCF7A91523879359A6DE53218B8C93FC7A92157550FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214365Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:02.507{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=672168D36C509B367196C344760D5F9B,SHA256=53997CA7E6BC234E39F3248C7F9C49A0754DE8610B20041E3CE95205616D6832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214375Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.907{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CEBF0E033D73AC3714F67D708B7696C,SHA256=A74328316DF779D27CA2C02651D66F9CFA054EF4286AA3F88B42046EE0329944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160753Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:03.575{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72ABBF83C8D5825523ADDB6F8C375AC,SHA256=EE3E72F6D6B4D1C7FF44039C17E85384B3B1A70403DD43C553DDE4AFA891F050,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214374Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5473-6116-F106-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214373Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214372Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214371Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214370Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5473-6116-F106-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214369Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214368Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5473-6116-F106-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214367Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.792{079FE16A-5473-6116-F106-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214387Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.974{079FE16A-5474-6116-F206-00000000E701}71244428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214386Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.921{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF3955AE416364637FF409C2A293675,SHA256=E419F36590D34E9DC9D62BC11E526E4A0F31D74505250D247AD726AC79DD4728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160754Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:04.637{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71F339261F81A497A0F36C746B10FB7,SHA256=3D58B8F91707D60E1105E9D196342A0315DC538BD8959F24E66658D4B13D973C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214385Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94B5FD848253B503425D84444598299F,SHA256=3088031FD9501C9732C95B9791592667745ACF6D94AE80AD2B0FF9D61568A407,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214384Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5474-6116-F206-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214383Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214382Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214381Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214380Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214379Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5474-6116-F206-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214378Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5474-6116-F206-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214377Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.676{079FE16A-5474-6116-F206-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214376Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.122{079FE16A-5473-6116-F106-00000000E701}19923924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214408Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5475-6116-F406-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214407Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214406Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214405Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214404Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214403Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5475-6116-F406-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214402Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5475-6116-F406-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214401Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.975{079FE16A-5475-6116-F406-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214400Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.942{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ED098B6E1AFB7EF511A150877E165E,SHA256=6675FC1FAC41F970278382309A2DF04C6936FEC09F85C71E2DB2C4F28C53EEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160755Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:05.637{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57365629E0E8B655D34582D0271A1F9A,SHA256=12164F848DD1C3070D20B1D76520233C1752EA06C5270173BC899405B279FE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214399Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.689{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7C3972D7AAD6CE2F77ADF1D011FDA42,SHA256=30AF15B7AA2482AEDB12C4371566077934FEC868C0CC95CB99129721A4DDAEDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214398Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.543{079FE16A-5475-6116-F306-00000000E701}68205588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214397Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.332{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5475-6116-F306-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214396Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.327{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214395Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.327{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214394Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.327{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214393Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.327{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5475-6116-F306-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214392Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.327{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214391Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.326{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5475-6116-F306-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214390Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.325{079FE16A-5475-6116-F306-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214389Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:02.785{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64749-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214388Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:02.785{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64749-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 23542300x8000000000000000214411Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:06.974{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DA156EB4A1CAEEF2E6C551EBDD80B1E,SHA256=3FC22B68A9073411BD8B820C72B95415856378E2A4EA73F9C581517965462C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214410Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:06.959{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB21F82D63279C8476472A2518D29B1C,SHA256=5BF2D4AD2F55EA3D2FEED724C67B95C2D2A7397E685B6EA9D927E8CF90192C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160756Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:06.637{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD9C54262ABB68C810BFDB2EEFA9251,SHA256=8059C7596E36EBED6DF038BC490C895C9EED03FE9B39CDC289F7F8794CAB23B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214409Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.245{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64750-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214412Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:07.973{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3254CC8A723C63F025DD89E17661B529,SHA256=D2BB16439584643F77E4160E91D4FC5631C1CBFD3A8FFABE941199FB3B2F2B28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160758Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:05.785{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52102-false10.0.1.12-8000- 23542300x8000000000000000160757Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:07.653{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA162CAB8C216D66A782A83539DB9557,SHA256=296197E24D56C5DF759F13C4B49B7DD1D100F53905613412956787001C2D0231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214416Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.989{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044BAA9C8042A2274EC866C4FEDF6553,SHA256=2146356486095A127B1968A4F45D262E547607A0F833F3F1D8B3E4864096FCE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160759Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:08.653{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7C08A961026225CB4BEA1E77BCAD0C,SHA256=83ADDD6DD9FEA13AAB7312E2EEEED558ED84EFECC2E5A5033B5D65CF50C2DE33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214415Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.105{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000214414Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.105{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214413Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.105{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb32321.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214418Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:09.989{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00265A7AB022EEAEA374E5608E8F8C1,SHA256=C9E8AD4BE51AC63083B1C58536D891D953A3B6C5921566E1EB87221A715B478A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160761Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:08.573{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse118.69.82.69-58340-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000160760Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:09.653{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943D5C31E06A5106248007C600EF580B,SHA256=1D61596BCA793F0D60F7E4029E314139B20915C13313CB508946CDE895F1CA37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214417Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:09.057{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160762Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:10.668{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF1CD48788B7E47FFC6565561E2AA57,SHA256=FD2C1D7B1BD0451BCDF4E18E95F76299261C96010E8F70D6C2789BAF4D751526,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214419Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.010{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse118.69.82.69-58327-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000160763Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:11.684{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F53A0F5EFCD052DAA77EFB3B6F8ED7,SHA256=999A87B2906FAAC48708B5DBA0F406AA2C9DC0896AB9DA3F4CEC76737B31EDB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214421Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.344{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64751-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214420Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:11.038{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373C67E3EE5752D901464871013E4D1B,SHA256=C6B652B144EB0D7520FEF52B444EC2164D931590792C5ECEA9D6358E7C76A48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160764Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:12.684{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D953ABB2D08C43B484600A88BF8AEF,SHA256=CE1676DBDA476879810D9A6B18507C4614B3B8BD99D0C9048B3DE5F819B4E1D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214422Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:12.138{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB16A952EE827147E59A290752AB361,SHA256=CDC493F05FB4B9A819DABFD7C7B964AF78F2104C0BBCACA3B5495A8AD80CAEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160765Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:13.684{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF329B5DA3C6B4458364D5AFBA9185F,SHA256=446D997E9320B5B907C832588895B6A8BDB723228240C2C414AEAA59A94482B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214423Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:13.155{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9A7FA1007908C70E39530FFBF1710E,SHA256=3B2DE49EE52F921B94CE21F3FAE989B5597286B69DEAC4B4BE6D287452FA3643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160767Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:14.731{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C677D22C9AE884AA998BCA969A80C0D0,SHA256=46B797B8C0DEE1865C68AF4E201714A16E37A0BE153D0DDE575CF33C0C4881AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214424Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:14.170{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387C340DFE9587D10A9F7F2CB732B7B2,SHA256=5DD5CE386AF9535D362DF3C4FFA6A9D9E00DB791098BC7752BB893924791D516,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160766Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:11.707{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52103-false10.0.1.12-8000- 23542300x8000000000000000160769Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:15.731{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCDEB9CB19BE958EB71FE8C01B833DD,SHA256=007A1360F64E421B987C9B7FE174752D67332F2F3521CE5F7F7430E07167F1E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214426Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:12.548{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com59416-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000214425Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:15.185{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FBC0F2FAA63C27840F188F9751220F,SHA256=9445D77884E3147A991D3E3039162CF9A491C3CB05F5DC3D0B7570C7C2F16208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160768Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:13.097{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com59418-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000160772Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:16.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=967533369FD0A01BFD70F4D8BCBCE776,SHA256=011BBE2D225705093E062199D716FA92BAC78315B4554880C55F842A73DFD452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160771Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:16.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=386EA7DD4735C4A6AEC5F42515534E8C,SHA256=9AEE888DD98588674E2FA82C69CDA5C6194DF5C4C3FE7085752462D589E27BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160770Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:16.778{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D039A18E40AE159C66392DD9DFD5D86C,SHA256=E25FA8FE42893175C8373F935899623591566AB80AFCE371163CD48E610CF187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214430Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:16.852{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDD4EB77D0822182B4F0D1D3F043644,SHA256=C7E68B4C55CE6D020F64FF75985916381DCEAF4BB6618BC4AB041612D3ADDA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214429Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:16.852{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=971EA32AE60358E0270AD9444DAFB368,SHA256=0E42A02A711F7E7A9C5FC75001088034FBCD6658C393ABC61A1726A726260E16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214428Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:14.356{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64752-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214427Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:16.234{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C878BB58663BA0D5C2358DE1771912,SHA256=ABDC8B0E4A951042D18BF41B9741602EEFE42C91BE2AF711253CBD9A0C660529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160773Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:17.778{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B61CB9BEEA6A72F273353CA15CDBDF,SHA256=FBEC61DA6ACFB8FBAE1952DE69413E332D0662835913FD58658FC18EEB93C6BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214433Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:14.979{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64753-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000214432Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:14.979{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64753-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 23542300x8000000000000000214431Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:17.252{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743FA78B0AAB26B692C7ECFF164D89E6,SHA256=C5BC04C9C803C3F33B0163F4F208EC27D98312C6E53EA065945D96DA24BDBBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160774Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:18.778{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2039C0DE07126332B5702034FA238C14,SHA256=397849679EBA7D4CAABEFCA00479B336886F413AEF8505354609E7E11EBFB7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214434Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:18.267{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBC064F282BD3F67028857C11B83C02,SHA256=436463372757CF5C1230B0C8D6746E9DBD5DFFA30341A6A7E564D92F0CB8E867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160776Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:19.778{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A13AE135F8FB50F5942D7937C9A93B3,SHA256=A7033FBDBE9EFD404E0A586E4BE54A07822C143D3EA842109414E0FD1DF3FF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214435Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:19.297{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B895B94CE9E16EBD171922C98C86DEDB,SHA256=FB29B88CCAD9BFB3A45441C78E1307F571B4DF7447A33FC6825A85B4AE68014B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160775Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:16.801{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52104-false10.0.1.12-8000- 23542300x8000000000000000160777Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:20.825{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA06893B34CDCE78E40092D197FD414,SHA256=E080354A85C9803E7FC7FCECE3AD4D982311D10CD6FDFDDA364C1871752B2562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214436Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.312{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDE1023CBF098CCA6CC118C8107B1DE,SHA256=D983F86A877D783EDF561B5F39157CC829F0310C1DC0C864902DE9739BCC03FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160778Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:21.825{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2DFC06F59B3C8CFF0CA9E102EEE369,SHA256=23D8C9897037062BE044D01E739F8C0AC5AF1E8EDCBA0FF8AA323824E1CB5044,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214438Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:21.349{079FE16A-26A0-6116-0B00-00000000E701}6285044C:\Windows\system32\lsass.exe{079FE16A-269C-6116-0100-00000000E701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000214437Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:21.330{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB336B259710A8F074645AAD116E0AB1,SHA256=770605CE9DA92A809691A6258B0A2F8D7EFE4703DA2BFA4EC118B587F6D552E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160779Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:22.825{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A8C6B54AEADE8E3F767B4C4EEC732E,SHA256=B02E8C80D134018CC39EB3221D9B1C91747B399191C550407F10019D1AD18DF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214446Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.407{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-414.attackrange.local64756-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000214445Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.407{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64756-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000214444Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.377{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64755-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214443Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.377{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64755-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214442Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.351{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64754-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214441Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:22.348{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A926997A760E4217DDAE4D6304FCDD5,SHA256=9695A6C69BDEA786D605CECA22A4909AEAC5C33640BE79B1531AD6B7B07124C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214440Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:22.333{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63795D192FADC10F68734E911C367561,SHA256=D1DA0A1BFCF751EAC4D1DDB6C5496EE21A87A2BD88D6F3CAB46A30B97261D3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214439Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:22.333{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDD4EB77D0822182B4F0D1D3F043644,SHA256=C7E68B4C55CE6D020F64FF75985916381DCEAF4BB6618BC4AB041612D3ADDA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160780Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:23.825{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B6209047E8E99E38837D8B49F1F041,SHA256=E12097180415786D442FACCD7630300D88F78061059165C7B4EDAA07534015AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214453Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.397{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85215CBB6DE9B98A6C4339E17D196868,SHA256=00043D0C49D17FDB367D77BB4D5A8BCEBD110BF24BA6066C952DBA0883CF2552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214452Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C507FE8870E570FCCE47B55F155BDC78,SHA256=E51A39326A4A0752E36D1A3AE140CFF7662CF6C9587DFF4375E2EAC14E6FD809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214451Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=FE7427AC693FF63018FDD98CDD450D89,SHA256=7D5B872113111F03B1C378FD363ADD58D1CA0DDCD4B7EF1746987971BD402BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214450Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2E6AE421C76393DE6BDC07785A247D02,SHA256=0FAE99E526F9259A568267ACA423CAEF933D3338A4FE88BD4EDBC466CC3172EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214449Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=061E85ADB8771FC1530A5F71D7953954,SHA256=C132E083196500FB1D5F1CE9F324F957E09D46D2284E02D86D93BB34DA937703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214448Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=ECCB039EA40D4ABAA444651F8212EBDF,SHA256=531D1FF6D3D75FD61539F306DCDDBBFF8A992C91ADACC0B94CC46EC57F13B84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214447Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=86AA9920D9B38D7690AFAE78CA7DFCEB,SHA256=38C35E0E55D1D6898F4FFDC8D2211190520DDA3DBF6F03CDD433B78955E45F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160782Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:24.872{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C785CF64F9D05A875D136C130D1F870,SHA256=0B30BC3EB7FCB6F04C294190C4BD6A60887ABFD3D284009DB6C00FDA707D58ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214454Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:24.430{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8B3AB6D66C2168E125AE2E1B16AF38,SHA256=DB16D72BB35A3897AF0CAECCCF703AE9930031E77BC31F6A693F6B092FA60B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160781Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:22.723{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52105-false10.0.1.12-8000- 23542300x8000000000000000160783Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:25.903{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A0E2F8BCC35A79A0E604E4DC4983E8,SHA256=E9A5BDF0A114E7FE911FFCE6B9CE9827260169C59DBE8A73DBDD225D30C71F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214455Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.463{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4F9A3877863FA3819CE4B358C17736,SHA256=365DC763EAA06CD8BA6E253D85EE505E6482DB2CE4E33C924433C9CADECCE9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160784Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:26.903{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AA6F2A339BF699C090275DF114B1F9,SHA256=92FA9E6B2F7A91D2FE084A7464BDDF5BD830274B33BA437FDC4072B9223155D9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000214459Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:16:26.609{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x8000000000000000214458Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:16:26.594{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\44A90C05-1D96-49A2-A5E6-242C78701B1A\Config SourceDWORD (0x00000001) 13241300x8000000000000000214457Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:16:26.594{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\44A90C05-1D96-49A2-A5E6-242C78701B1A\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_44A90C05-1D96-49A2-A5E6-242C78701B1A.XML 23542300x8000000000000000214456Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.478{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89300D6B104103D857F184F4EEBD83A8,SHA256=635E0ADC2992537DADF1FE67AB74E220F8FAB031A1BE2B495C125B55A91702AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160785Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:27.918{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA5D467FE471DD91F2C3E6A95C74ED8,SHA256=EBCF689D28C63070CE55581214FBA12F724EA71AA2610BB579D340E410C2DF9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214468Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.745{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64759-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214467Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.745{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64759-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214466Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.737{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64758-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214465Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.737{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64758-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214464Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.705{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64757-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 354300x8000000000000000214463Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.705{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64757-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 23542300x8000000000000000214462Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:27.631{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA8B29BBD70A7E9994D65E99992C4977,SHA256=53300D6FC9155984B41732E40EAA7A29929499D0E74EE95819648C8D069992F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214461Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:27.630{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63795D192FADC10F68734E911C367561,SHA256=D1DA0A1BFCF751EAC4D1DDB6C5496EE21A87A2BD88D6F3CAB46A30B97261D3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214460Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:27.493{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7159E248D0F4C3313F134FCEDABE4722,SHA256=2A7200E272A082DB3A2D7829F8F60846F43B912572B836D6A32C7D1707B02ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160786Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:28.918{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346FBD2A04CDF542616FDC199A0C49F7,SHA256=B74696CC00376B50BE1B06311A4F576323E272AE3593EF7FA8B2B90592A6A82F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214494Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.280{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local62408- 354300x8000000000000000214493Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.278{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local63203- 354300x8000000000000000214492Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.275{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local61279- 354300x8000000000000000214491Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.274{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local54323- 354300x8000000000000000214490Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.273{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local63938- 354300x8000000000000000214489Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.269{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local61053- 354300x8000000000000000214488Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.268{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64536- 354300x8000000000000000214487Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.266{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local61891- 354300x8000000000000000214486Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.265{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local54389- 354300x8000000000000000214485Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.264{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local61253- 354300x8000000000000000214484Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.264{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51670- 354300x8000000000000000214483Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.261{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local52676- 23542300x8000000000000000214482Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:28.561{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243C3115C3DE8B3E818C3F11BF2934C7,SHA256=AA4A1781DB29246C93B332FF15B677BD0869F7C80DC5A9CC62665E5D01F51D63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214481Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.258{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local64294- 354300x8000000000000000214480Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.254{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local59431- 354300x8000000000000000214479Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.253{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local61249- 354300x8000000000000000214478Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.252{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local52214- 354300x8000000000000000214477Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.248{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local61237- 354300x8000000000000000214476Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.248{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-414.attackrange.local61237-false10.0.1.14win-dc-414.attackrange.local53domain 354300x8000000000000000214475Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.246{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51368- 354300x8000000000000000214474Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.246{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51368-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domain 354300x8000000000000000214473Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.236{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64762-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local49666- 354300x8000000000000000214472Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.236{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64762-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local49666- 354300x8000000000000000214471Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.235{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64761-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 354300x8000000000000000214470Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.235{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64761-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 354300x8000000000000000214469Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.187{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64760-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160788Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:29.934{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FCF1F764F54C5C55E4F8B468C02B65,SHA256=11EA8DCD546CBE64B38E1B76FDABCA9E48B2229C1F57B259A10B8002215601F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214497Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.285{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local50997- 354300x8000000000000000214496Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.283{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63024- 23542300x8000000000000000214495Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.576{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E73EF3FE6399CC78D236A817BD9B2EF,SHA256=B9AAAB92CC0A071CB6100A55192DC391DC90C3B8CFD05B386C43E92CC6A276E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160787Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:27.911{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52106-false10.0.1.12-8000- 23542300x8000000000000000160790Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:30.934{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54CC89A2B3A2AB3E4F0C1627FE54A53,SHA256=A6BAF93E23B05CE3E18485B47CAC11011BE3E41E5B97BB0C33D464FE800DC6F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160789Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:30.372{C6197713-26A0-6116-0B00-00000000E801}6281420C:\Windows\system32\lsass.exe{C6197713-269E-6116-0100-00000000E801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000214534Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214533Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214532Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214531Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214530Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214529Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214528Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214527Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214526Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214525Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214524Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214523Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214522Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214521Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214520Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214519Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214518Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214517Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214516Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214515Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214514Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214513Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214512Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214511Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214510Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214509Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214508Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214507Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214506Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214505Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214504Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214503Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214502Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214501Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214500Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214499Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214498Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160792Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:31.934{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C803CCADBC67BFFDE7448E1E4513AC,SHA256=466153A209AE580EF38E9122348F852700108406457B5BF5E0D26459F3BBF7F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160791Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:29.710{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com52657-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000214549Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:31.393{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA8B29BBD70A7E9994D65E99992C4977,SHA256=53300D6FC9155984B41732E40EAA7A29929499D0E74EE95819648C8D069992F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214548Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.305{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local62517- 354300x8000000000000000214547Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.303{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53546- 354300x8000000000000000214546Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.300{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63009- 354300x8000000000000000214545Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.298{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local63349- 354300x8000000000000000214544Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.293{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local50309- 354300x8000000000000000214543Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.290{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local60894- 354300x8000000000000000214542Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.286{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local60866- 354300x8000000000000000214541Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.280{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local62540- 354300x8000000000000000214540Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.278{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local54238- 354300x8000000000000000214539Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.275{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local51029- 354300x8000000000000000214538Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.273{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63759- 354300x8000000000000000214537Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.271{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local52461- 354300x8000000000000000214536Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.153{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com52655-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000214535Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:31.026{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252FF61C90955A96A184B3FA067D7F06,SHA256=17E1622F28FFDC88D4B9CCA3494C27E55EBCC77E862A5EF359023C08F40B9259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160796Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:32.965{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1C86147A1BA82DC560503B7FFA9B02,SHA256=A170FC181D4F21BA07B7116F000CABBFAC86C68D8A85E56F01A2B10E7851E2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214558Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:32.846{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90E332BC11173536868800C9DEEE80E1,SHA256=49D615FBC57122FAABC96E278AD5D043C9E3B4ADADB0AA9AF88B9E6F3B52070E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214557Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.493{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752107-false10.0.1.14win-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000214556Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.320{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51864- 354300x8000000000000000214555Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.318{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local54213- 354300x8000000000000000214554Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.316{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local61390- 354300x8000000000000000214553Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.315{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63332- 354300x8000000000000000214552Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.313{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local54360- 354300x8000000000000000214551Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.309{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local50704- 23542300x8000000000000000214550Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:32.077{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B4D818ADCBDD3045B12B6EA650AEDA,SHA256=1A773F0319A74D86DCC1033D360E47A7462C88A090E4EB3B304407CF3233C9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160795Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:32.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FE7086838E96CC99A75A968516E4177,SHA256=A3139289F4352807F8C5546B2F49190259215B51D1F51DDD1ECA04E6D91739D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160794Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:32.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=967533369FD0A01BFD70F4D8BCBCE776,SHA256=011BBE2D225705093E062199D716FA92BAC78315B4554880C55F842A73DFD452,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160793Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:30.040{C6197713-269E-6116-0100-00000000E801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52107-false10.0.1.14-445microsoft-ds 23542300x8000000000000000160797Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:33.997{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAAA405A70F1651BA8DC505B958A2E2,SHA256=9462891CCF2F920FAB5C0B40E16F0C82B57F654420C20E44173263C41B79AEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214559Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:33.130{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A5CD71E722488FEDBDFE6946E4C7AF,SHA256=9B4A23DD4629C884DDB2D1683C37EA4D5DD22933BAF5141964A19016B968B34A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214563Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:32.036{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local49929- 354300x8000000000000000214562Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:32.033{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64399- 354300x8000000000000000214561Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:31.201{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64763-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214560Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:34.179{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A1B1E9BECA5BCD6BED9EF24A83800F,SHA256=55BF9A654AEA27BC407016808C33BEF5FA607D0F71C0AD220BF106D259B12D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160799Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:35.293{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D6031A44DB4AA95903FF777411FA291C,SHA256=8F913C95C3564A1A222AE24CDDBCEB980C92BFBEB3FE89F5C1C75D71B091B32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160798Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:35.012{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA47A601EDCBE47B9F068E0BD1FA7EF,SHA256=9ADE9BBEE541E6AA14ACBD0CA7AB0E894D868EDAC79C3A36174719BB6AEC7386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214564Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:35.194{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFE9E01DD809ABA2B0A4D64F52B83F8,SHA256=8E22036419362A55D680955592CB63CE2BB1AC320E0DED25946AA25962B89884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214566Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:36.861{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FD13FD94268BD72F2861B65173B66D0C,SHA256=21A82E08B14E34BF822507067223F8325C89CA429FBE96BDB8A5C36EFD983F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214565Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:36.208{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C3DD4B7210C4EA08571B44FBD70D5A,SHA256=525F2B7DE37023EF2CB5FAA46928841C4F3D0EAA43ACDBAD92403223E2DE88C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160801Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:33.864{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52108-false10.0.1.12-8000- 23542300x8000000000000000160800Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:36.028{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2BA1A4268A3822B77996CCB6EFCF65,SHA256=B183B6B6CBA44CA9E10B82A6CC220D7C7DA82AFA635092D35755302CC4A2CEA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214567Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:37.227{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDF445BD150E79D75F969F8E413BBA7,SHA256=666CAF0D84BAD57E91C47BE43BD76EFCDE75A37B4A9E92B0B997507801BE4A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160802Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:37.028{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0EB290EE1ECA71EA40B7BE02D58C4E,SHA256=5F9AE12E1C2ABFA44741005A9AB09BD72EA18AAEDC0832B5805FE7898D7E9FB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214570Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:36.332{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64764-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214569Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:38.707{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214568Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:38.245{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C63FA25963E4F500CE57DDDF83471C3,SHA256=0E31BE606DBAA06399B1A0E5466F055833A6EB0E791362D8E8E5A4439F4AEA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160803Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:38.028{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCC8176BE977D5E2A0FF51B5685152E,SHA256=884C475A16967E1AF28E1C709C05C7383D051CA6726DB7333EA74A9DC9B1EBE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214571Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:39.275{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA03EACF4030EC3529122F192E5EC06E,SHA256=8EDE5AD13F4D2B67C5434C3C48B5075E7643D6AAD414F1E227ED1C5018DBE7D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160804Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:39.028{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B13038968DEBD8CB8445D5B452331BA,SHA256=6338BBCF79F4EBA55F96C4F3F7D75FBA564C0A825BDF78F4BB0CEAE7048928A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214572Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:40.276{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D146A489658ECD2459D8F5B24AB68AB1,SHA256=ED79BB7ACE5EFF1492EB4A5E5BB52B3E3307F2DA80C9AD438311337FE7CF6C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160805Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:40.028{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02733BB91A54730A5302A460B9D9993,SHA256=DCB296893BF146A92FD1C352C47DBA36A7CD65CF539FF0182B16FA480A487A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214580Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8C7843B61C285F2E8420471AE78CBC84,SHA256=1CB8D078556ED31709A5613C5025B5DDFB4863D5D79A0F4E1E6D6CD604586A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214579Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=0B0004989454B2C71057FA19C1C0FC04,SHA256=3907858A5A4A4FFC7B8B7E217EFE641C39552AABA47990CDB931AA236FB4EAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214578Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=3494BD052C541799009342BEC45E3F76,SHA256=3907DE8C50066881CE6AF27E4E2341809C03BDD6900E8D2BA8EA9C7FD8F4C32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214577Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=DEE723AE6190D61DDB278DF7EFE6ED29,SHA256=10226E27584C65B34ED5E755B7E67AEF69CB503437A68AD10392C321122DAE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214576Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=F3716F79BF3E2535D9B0533F109BABA1,SHA256=12A4527549DE0C2767C2A2BD86B752A772DFBC9877098032E86889EBBDF2E2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214575Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=883A09F3D599D919786EA36985FB3E30,SHA256=8778DD6A78D11385A84F1327F261AA442BCFF3E1FD213CCF4864CEFDD57F0517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214574Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.277{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B88969189AE206B8E4F7E1B78B3D0D9,SHA256=5AE59EA91CD63E939A6D0C063F5A810F613230D2E572F9F3480F0FA6FDD0D203,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160807Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:39.692{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52109-false10.0.1.12-8000- 23542300x8000000000000000160806Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:41.043{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2C49C5DF86CBEA5385EB2AEF460177,SHA256=C4151AC1C6BBA01ADFBDF3321C5931FE1BB984A85CFB3FFF59075DEC84B1FE09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214573Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:37.816{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64765-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000214583Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:42.277{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443F6EC3CC8D8DC8ACBD31C600A5DD2F,SHA256=4C6598D37D9180B2024E03357F56BB9A30F332A6FC21785AEF58E7BB2F14BFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160808Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:42.059{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F958FBEE54251F49FC2B66261599993,SHA256=5B1365970AE08170DE874058552C504C3214429793C50B2C0C268FABE3DFB032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214582Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:42.146{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEDA6C1EEF43A8136141EBAE24BAF6F3,SHA256=AAE3E52772AF8BBBCC6507FBCBD44E657E72B78D8B00EE15D18A29E8383D414C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214581Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:42.146{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FDFD505C211DF256EAD3146513D4E12,SHA256=030AC067340E129AE07DCDA50181A75AA546D58C92A47E5F11340B38055D05A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214584Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:43.308{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A620E388147B1BBC40E0798721590EC,SHA256=6A46BA730635B7E785765F1C8BD1F650301FD35DFF8521F5B3A61C141EB129F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160809Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:43.075{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5403891493084A85D340100ECDBCD2,SHA256=201856CC021129C4857FC3785BB11760D198DE9CB8E582823B855AD5DB6BAED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214585Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:44.308{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F966455CBD938AF8D7A78FCBFF49344,SHA256=40BDA7572F5E1F8BCAADD200012C5CA9F7F6113F410CD9E6C27D8F6112E16975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160810Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:44.075{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645B920D230510B90B8A5B752F1C4B1F,SHA256=315879EB2871F9E87A47D51E6B93370017044BE8C2406ABE099CA45B47CDD58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214587Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:45.309{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7541D2B1663F809AB9ACFD47540E4597,SHA256=E343BD385DAA280AE765330CD1599829B12FCC061283D2D0AB7DE2EDC8C95E2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160824Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-549D-6116-EA05-00000000E801}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160823Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160822Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160821Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160820Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160819Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160818Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160817Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160816Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160815Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160814Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-549D-6116-EA05-00000000E801}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160813Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-549D-6116-EA05-00000000E801}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160812Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-549D-6116-EA05-00000000E801}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160811Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.075{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A4B5A70397FBD96E0A6CEF585E4045,SHA256=9FC87F5459C83B44C64AF00672B2221EC534EF99DB5A53794F2AE21992D4341D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214586Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:42.151{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64766-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214588Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:46.328{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E89B65CB313B1487F2C29DB2B73BCC,SHA256=A27DD4F02B3C7D24CB724FA16A5A5C127A75C684A281D959E4CF796B1558F48F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160854Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.887{C6197713-549E-6116-EC05-00000000E801}33283596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160853Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.872{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D987B8C8B962FE900E8D36C807A0C3A3,SHA256=EB01750F83EBC47603D1A0A852BDD425D4AA6CF2C3E3E1B2FFA6FB14830F1632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160852Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.872{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FE7086838E96CC99A75A968516E4177,SHA256=A3139289F4352807F8C5546B2F49190259215B51D1F51DDD1ECA04E6D91739D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160851Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-549E-6116-EC05-00000000E801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160850Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160849Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160848Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160847Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160846Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160845Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160844Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160843Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160842Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160841Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-549E-6116-EC05-00000000E801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160840Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-549E-6116-EC05-00000000E801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160839Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.654{C6197713-549E-6116-EC05-00000000E801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160838Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-549E-6116-EB05-00000000E801}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160837Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160836Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160835Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160834Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160833Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160832Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160831Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160830Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160829Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160828Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-549E-6116-EB05-00000000E801}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160827Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-549E-6116-EB05-00000000E801}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160826Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.154{C6197713-549E-6116-EB05-00000000E801}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160825Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.090{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBB3488B3B4A395628435177E515C3C,SHA256=1410327883DB1A175CBF0F1FDDADA798933D03F72F93046DF5362A72F9681AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214589Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:47.345{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1160F62759204D257A68C2F0A22FA5AF,SHA256=303015D0BE717010A9FA2EAD3BDE8B3B80D264F309A00D8D90669BC95EDCA5BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160856Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.724{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52110-false10.0.1.12-8000- 23542300x8000000000000000160855Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:47.168{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069D1D465E364491673FA3C7A7E5D31F,SHA256=692F0967A94358176B8D31B0F11E40B6286A9BDF17F0F0ABEC1C78C57798607C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214596Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.377{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737D8B84C81DA42B537D7BF6392DDA7C,SHA256=346A9BA03A44B7AF877F4C68D5BAEC159D4E3063FE93AAD3E9E1F07BD22975B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160886Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.965{C6197713-54A0-6116-EE05-00000000E801}26843572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160885Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54A0-6116-EE05-00000000E801}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160884Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160883Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160882Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160881Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160880Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160879Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160878Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160877Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160876Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160875Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-54A0-6116-EE05-00000000E801}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160874Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54A0-6116-EE05-00000000E801}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160873Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.763{C6197713-54A0-6116-EE05-00000000E801}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160872Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.528{C6197713-54A0-6116-ED05-00000000E801}948640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160871Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.278{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5526919415E0B403787C243C11E48537,SHA256=BB58E69924E459B50E6844DFF2178CBF76C7147C6E8B7F110A71EDB0A272C93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160870Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.278{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214595Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.145{079FE16A-3DEE-6116-CA03-00000000E701}5736ATTACKRANGE\AdministratorC:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64MD5=1740DB24E17622218EAE04A91ED10F99,SHA256=62A7FD4EE533FD8D272F19E8C810F514BCCC54F3BC0BBAFE5966A863E48FB0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214594Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.145{079FE16A-3DEE-6116-CA03-00000000E701}5736ATTACKRANGE\AdministratorC:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64MD5=D7D274F17ED5451F515F5B2A309FEEA9,SHA256=334BDD21521F9F155121731452DFCCBE4310EDE81D6CEA857066A2F91B2CAA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214593Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.145{079FE16A-3DEE-6116-CA03-00000000E701}5736ATTACKRANGE\AdministratorC:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64.bakMD5=D7D274F17ED5451F515F5B2A309FEEA9,SHA256=334BDD21521F9F155121731452DFCCBE4310EDE81D6CEA857066A2F91B2CAA7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000214592Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.145{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64.cmdline2021-08-13 09:42:12.129 23542300x8000000000000000214591Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.145{079FE16A-3DEE-6116-CA03-00000000E701}5736ATTACKRANGE\AdministratorC:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64.cmdlineMD5=640DE1377EA800F849AFA894E8F4640D,SHA256=605B207CCCAA04653007EA2E29D172B5EC95374AD9FBDD7BCC8C2CC01EAB2805,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214590Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.108{079FE16A-3DEE-6116-CA03-00000000E701}57363672C:\Temp\release\x64\x64dbg.exe{079FE16A-53B9-6116-D306-00000000E701}6636C:\Windows\explorer.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Temp\release\x64\TitanEngine.dll+12e1e|C:\Temp\release\x64\TitanEngine.dll+11896|C:\Temp\release\x64\TitanEngine.dll+37eb9|C:\Temp\release\x64\x64dbg.dll+64aa5|C:\Temp\release\x64\x64dbg.dll+58f0e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160869Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54A0-6116-ED05-00000000E801}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160868Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160867Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160866Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160865Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160864Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160863Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160862Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160861Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160860Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160859Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-54A0-6116-ED05-00000000E801}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160858Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54A0-6116-ED05-00000000E801}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160857Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.263{C6197713-54A0-6116-ED05-00000000E801}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214597Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:49.377{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C159416328832FF565DFFA83E0A26A1,SHA256=D61F8931B27662B2BD3CFA109F0F6EEC35C9BA943091E03B63DB93F8637E9C1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160918Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54A1-6116-F005-00000000E801}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160917Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160916Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160915Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160914Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160913Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160912Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160911Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160910Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-54A1-6116-F005-00000000E801}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160909Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160908Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160907Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54A1-6116-F005-00000000E801}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160906Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.937{C6197713-54A1-6116-F005-00000000E801}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160905Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:47.927{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52111-false10.0.1.12-8089- 354300x8000000000000000160904Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:47.556{C6197713-269E-6116-0100-00000000E801}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-867.attackrange.local138netbios-dgm 354300x8000000000000000160903Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:47.556{C6197713-269E-6116-0100-00000000E801}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-867.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x8000000000000000160902Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.497{C6197713-54A1-6116-EF05-00000000E801}420216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160901Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.450{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A95D21A967443932882352E45B1676,SHA256=B4FF323A8E882E368A77A958FBE2703D71678C1A29AFBFCE104E69561BCC3D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160900Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.294{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D987B8C8B962FE900E8D36C807A0C3A3,SHA256=EB01750F83EBC47603D1A0A852BDD425D4AA6CF2C3E3E1B2FFA6FB14830F1632,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160899Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54A1-6116-EF05-00000000E801}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160898Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160897Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160896Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160895Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160894Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160893Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160892Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160891Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160890Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160889Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-54A1-6116-EF05-00000000E801}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160888Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54A1-6116-EF05-00000000E801}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160887Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.263{C6197713-54A1-6116-EF05-00000000E801}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160920Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:50.981{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B3D9D6FE71ED7D88EADF33C4AC5A4A3,SHA256=82A5DB04030CF884DFE532A3A0E8E4A720AA7540DFB44073461AF6D8DF8E554F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160919Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:50.452{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30339AA3D807F495B8BD4F4A94D68C93,SHA256=B554F535F85393253D1B30517EBFA1DF9B98371C86436DA34586353EB9776810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214599Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:50.408{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776780BB4796C6293C673547D1C0507C,SHA256=293C910A664667AAF5DCDF12D600E57927DA46D434937FF592CA2DD69FA1353F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214598Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:47.186{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64767-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160921Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:51.465{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D5B172A78165647E19CF071B981F7B,SHA256=26B3202801C5FBD741C530DBABCA92C8B9C3FD4DF1AAD7353AF38E67F86738D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214600Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:51.408{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B78F6E2CEB32314CCFC8541B0DF289,SHA256=16323B1099EA02EE61EC8E329A7B74EC4E76E17F10A4E38B437295A6CAECAC67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160923Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:50.833{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52112-false10.0.1.12-8000- 23542300x8000000000000000160922Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:52.467{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EDE37A43D9BD76BD56A0EA57B9A94F,SHA256=F86C692B3D4846B63A9597838ACA50505D70461C7F4757C139D4C418706D2244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214601Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:52.426{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CB6B46412720A044AB0DC83A6A4C26,SHA256=4E33773DFC35AD18E4FC2CF34F7B24F452CAF06BC6BD73CA6F193F74B6EA9F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160924Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:53.514{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E877F8DCF85F7BA0C60ECFC5D6FA9570,SHA256=545772A5553EE8FB218A154266C2E9D355588E7BE0637E86CDB06F6D80395FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214602Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:53.444{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6660127D34304EF4B824B802F2A11BFE,SHA256=2385661C27A72BA8B4F898759235334EDEF6E2FAAFA2A0FA06CA10BEF1512709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214603Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:54.445{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAF62E5E67503A8D3CF486EA7692068,SHA256=DD73F69FF331B058806917716591EF97B92B4B618CA06B366FC9D6B4F64DE0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160925Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:54.530{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A590A461BBF1B79A4E2BDF5F7BABF71,SHA256=B81A66A20F056D49D68256162F846A43B302BC3014ACB028E6A902F45162F813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160926Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:55.545{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EE4899A46B542391E757A3D5157C8E,SHA256=5A9D4F3F416A11480A02BDFF138289429410306CE7C2ACCED2A63661C874296D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214605Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:55.459{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A47E083C402170324192B50D5D72A73,SHA256=9E4C2074C32BBB8B3BD061A3189EE56093EC1C6EA6259268B8AD8F950E0C45CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214604Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:52.284{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64768-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160927Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:56.561{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADB6258579A9036AB85CC42E92C38D1,SHA256=6746012CC98BAD463701E37D69A6B5269FE3D3A595877521EADDDB251DF85397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214606Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:56.474{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC5CD77097817B2C043B6D6513FDC1C,SHA256=C531DEC4768F5567DE548767770736C1D8B48326413EB0EEBBEADA2BE40D8677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160928Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:57.561{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173FCA1BB210D3004A733E4C490B6F5B,SHA256=D79A141D1DAE63D831230AF8E80363E2C9C87C916C4DF22C12371527D485A830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214607Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:57.490{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4583A4E0EB9A525DCA6D76A74C6A1B4,SHA256=375FE538444DBEDEBD37F2DCD24DB7FFC226E43699E5216724BF271C689ECD98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214608Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:58.523{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE723CF076988D184DB6D9D1324810C1,SHA256=629C2A12DF2A9BC95B975F50B4729E8888464F4BE9500D4CDDF9733C130608FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160929Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:58.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CB78F6FDD2CF16CFA33E0531271989,SHA256=DFDBCC9F5D6F03627F4F3B4FB2D90631F892ED1471B61683E0EA6DC5D64C7DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160931Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:59.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98AFF700DED4ED2B43C96E963E09CBE,SHA256=42AAC117A6BA2CB99BEAE3D48DAD14051959E04848D0BEE37F179B81D40F05EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214617Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54AB-6116-F506-00000000E701}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214616Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214615Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214614Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214613Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214612Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54AB-6116-F506-00000000E701}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214611Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54AB-6116-F506-00000000E701}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214610Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.743{079FE16A-54AB-6116-F506-00000000E701}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214609Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.541{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E47A4B6DF65070D547AE63A02C488E8,SHA256=A6FDF0C870BCE8F511210871C2775CBDD7980662054D7FBAA4D7816494669CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160930Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:56.835{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52113-false10.0.1.12-8000- 23542300x8000000000000000160932Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:00.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E70D3D5D040EE9F0DA8907D57EB7CD1,SHA256=BA60E18F495759973FD83AFE9844CD50DCF50537F1C0B08544CC5DFF2743C1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214629Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.757{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8476CE62A715E4E6A2D1F6C6AEAEE951,SHA256=41CC7C45E620772C90972615AAB4C9052420165F24B7E27FE0CF72D314F63E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214628Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.757{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEDA6C1EEF43A8136141EBAE24BAF6F3,SHA256=AAE3E52772AF8BBBCC6507FBCBD44E657E72B78D8B00EE15D18A29E8383D414C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214627Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54AC-6116-F606-00000000E701}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214626Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214625Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214624Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214623Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214622Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54AC-6116-F606-00000000E701}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214621Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54AC-6116-F606-00000000E701}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214620Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.605{079FE16A-54AC-6116-F606-00000000E701}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214619Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.557{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2028E913404409707E0F667ADD1FD0B5,SHA256=1DB4A91C5EEB66AC094F870AA80736DA2763ECFEF1ABD22CA8ABE1B7EC0AB7F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214618Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:57.330{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64769-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160933Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:01.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB7838A6D1D937736C542615C48DBCC,SHA256=F59591E2A463B0D340CDF9DD832E22418B28F505DDEC11A6D422FAB685C6976F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214639Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.572{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9811A0DCF9D81E74B43F7485DE40336,SHA256=62F990E9C90D6560750876415D40E4D22D38F8080AE215CFFCF6A3924B6522D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214638Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.474{079FE16A-54AD-6116-F706-00000000E701}11444592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214637Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54AD-6116-F706-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214636Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214635Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214634Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214633Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214632Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54AD-6116-F706-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214631Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54AD-6116-F706-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214630Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.273{079FE16A-54AD-6116-F706-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214641Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.587{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CFFAE2D54CC320692CE3A28259E289,SHA256=C281C035B046BDE6AABA53EBAD137432243DCAFBA4A1C8C457A8D8994C456498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160934Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:02.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98980AD16C8A579F7167C0F324F77DC6,SHA256=1AFFB9295C387A8E4187BE68359A308BB9C93188F64E4FD42CAC85AC94A58012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214640Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.272{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8476CE62A715E4E6A2D1F6C6AEAEE951,SHA256=41CC7C45E620772C90972615AAB4C9052420165F24B7E27FE0CF72D314F63E08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214650Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54AF-6116-F806-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214649Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214648Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214647Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214646Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54AF-6116-F806-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214645Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214644Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54AF-6116-F806-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214643Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.741{079FE16A-54AF-6116-F806-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214642Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.603{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA132AD62AE829C666D4B465CA7D2C88,SHA256=1DE124EBA2B6610C161B78045D741E621CD4C14439F95E26DEE043ED4D973731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160935Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:03.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3671D4F6CE0407ED00ADAEE0D8AE5AA3,SHA256=77A6443510CF7B399803E2FEA948EADCBB97C78D6D83712502F6BC0EC2997034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160937Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:04.608{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6418D18E32946CA831ADDA38ECF1549C,SHA256=658C584C4B730A64D2AB8B0D491C62372F7295594613C23A6F34B79ED6693B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214663Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.687{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28146E610A0F5F35C5E5AA1A3246F407,SHA256=F6ACEFBA47E83AB5D61A97448A6FDF4F1B91DA4A137F55760F5B494CFF5D2308,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214662Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.687{079FE16A-54B0-6116-F906-00000000E701}34723360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214661Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.624{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777E4F152DF0CE0C05D14F8DEE7BCF57,SHA256=3DE9CFE3162A61104B7E15EA3A43BBF3A6EDC65C94CCA779EF833268D7B2D158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214660Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.624{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEFCA941D56FE3D519682EF27929A07,SHA256=DBE5515E147B4598E27C66457F8F82772F37F6FD22DBCA43200100456D45AA74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214659Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.425{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54B0-6116-F906-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214658Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214657Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214656Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.422{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214655Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.422{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214654Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.422{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-54B0-6116-F906-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214653Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.421{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54B0-6116-F906-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214652Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.420{079FE16A-54B0-6116-F906-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214651Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.024{079FE16A-54AF-6116-F806-00000000E701}50086588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000160936Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:01.908{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52114-false10.0.1.12-8000- 23542300x8000000000000000160938Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:05.608{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC299DD9594D9260C045AF9F0B9A39A,SHA256=C4CEFC484C5A0B35D15BADC1B1ACF48896342052A4A4C18F24D7466721EA1817,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214682Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54B1-6116-FB06-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214681Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214680Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214679Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214678Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214677Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-54B1-6116-FB06-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214676Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54B1-6116-FB06-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214675Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.758{079FE16A-54B1-6116-FB06-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214674Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.656{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27676BC030AD900CF2ED37A6B009F39D,SHA256=395300C3A8668274B2BB01554127F7584436231F95F68AA52AD43499919F9EE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214673Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.597{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63213- 354300x8000000000000000214672Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.365{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64770-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214671Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214670Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214669Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54B1-6116-FA06-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214668Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214667Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214666Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54B1-6116-FA06-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214665Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54B1-6116-FA06-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214664Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.088{079FE16A-54B1-6116-FA06-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214687Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:06.657{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FD7BFBAC6F05801512DC1F77983086,SHA256=AE232835A9F39CD1EEAC0CB7F11CE377443FFA056A4BDF20F09EE3F7B285F684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160939Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:06.717{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208689664E0B79BC6E4F83132029F696,SHA256=93D9F0FF6AEAC1E3C557B1B847DDAAACBDBA49768AD5FE7CD90B3ED1F422400F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214686Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.797{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64771-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214685Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.797{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64771-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 23542300x8000000000000000214684Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:06.089{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C25DEBB2A0799D6FF9BA9940ABC54357,SHA256=6FC5B3A52BF27AD841DC88C7CFA52968B3BF0C5CC6448FB42BDC57395025FAD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214683Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:06.005{079FE16A-54B1-6116-FB06-00000000E701}6366572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214688Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:07.657{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C04E6FA7C2184F8F4D08A02C3E021EA,SHA256=E1C1F04410953B3BDC54B77E41D1A95822EBEA8D1FCC3BD21387F12E4D2797BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160940Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:07.717{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BF5DD9418E5DC4AC843A961F7232EF,SHA256=F1090F2725FA926EC7512B6E5C78C9BABFBCF53298F13D69A5C8FD0A22D0A54E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214689Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:08.672{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1629AEED4C6D3C1F93B9E6051306F83F,SHA256=1E8316D30DA1340399326975AAC2A10835B627773BC9086B68168AAFF051EC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160941Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:08.717{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E3197BA0EB155109050C88A8B60C2F,SHA256=7F393DD55A5042CC75C2463084E6B1A5B0E0F237984EB3F089F68E0A080C5698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160942Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:09.733{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3422C23B09F5D4B17BA35655848841,SHA256=767CCEEC063819347674B2B090978CBBA1CEA06AFD2EF61D0F62F1D767B3FD23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214690Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:09.688{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE8142C21A9D71C7D8C4E39CCC5F693,SHA256=DE572C791A0757FD4D932D64C8A5D815647E5D7702433F413BF8FCA318C4F48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214692Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:10.703{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A585F5EED54EBE8D88003EADDFBFEDD,SHA256=7167082FF4E3C082F565EBD848FDF44AB0F45279939D0C599EF65BC066A15B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160944Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:10.733{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4110F19D800E84972C0C4FDFED6E0F0D,SHA256=1C0F11793B88B69F8A141E5BA1B490EC90CFA8F1478B303A04F43B5D4912DEA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160943Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:07.835{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52115-false10.0.1.12-8000- 354300x8000000000000000214691Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:07.366{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64772-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214693Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:11.722{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A7A9A7E477302A82B040E37E6DE39F,SHA256=9CE1FCF14EB16421F7BB845DD9B5D5C1D155889E81076C9133DCBF9BFFE34445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160945Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:11.733{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E241D954BB95230324A4A94A202CC649,SHA256=C92547A89A6C3BF273877B7B0B65773C0E353FD69CEFC7710634DEDE89EF5C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214694Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:12.739{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594DC3A1B749C2F254D2F51AEC4403E3,SHA256=C873A5F5C30F2D7EEA3D41B61B7844DA85D5DE7B875D6B39F72B0A670F23AE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160946Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:12.733{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA623D71FBDF610738AE8F5B4BF7F8E7,SHA256=70398EED25D228E7A90FD68BB7FD397CE2CFEBFF4B6454EB9D3907C306853E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214695Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:13.754{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12B51B7D9B16207C291BD295B9113A6,SHA256=7624382FCE5D6B43292907527B70DAB9D36E8B446D875CB4EBFE5C5B2EEF6C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160947Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:13.749{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF02F4927424D3422D4B9483AAD39625,SHA256=4406724D1BE5817C8E2646F4F11DE409526B332F4A766C3ADEABC971BADC371D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214696Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:14.768{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25D2CA81C354245264A8E53221B009A,SHA256=04F789D8BED4B7CB4A6D93935004A2C38FD239FA18A844D9560DF2EA4922B5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160949Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:14.749{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31B6EC6B5C2B9ACF7AFAED4A5B50ECC,SHA256=3F7AF5929B15665290616AF54079F758D53C31E4DC08951B32450A76B9BA828D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160948Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:12.851{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52116-false10.0.1.12-8000- 23542300x8000000000000000160950Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:15.764{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614DA93887BD9089261E6A7ABFF8ED40,SHA256=0B45BC38184DF2C473F43D6ACC8E6A85060EA1BA1332471EDD5651186C956B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214698Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:15.798{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5E2E89BE7FB6CE37C2CF12F01CC01B,SHA256=E0AB854E773ABE720E868DD8D1B5A883A7A7E96DBC91EC300954A5428C381E1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214697Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:13.262{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64773-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160951Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:16.764{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7E4386566ED7E57107BBAFA4146255,SHA256=1A9F21A92CEE1BC295E114A23C20C03C89947B885F2D2BD8DA72A90A5F5718AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214701Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:16.819{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A02EFA217BCFED702194CF35A6C8FE7,SHA256=9954696DF0B625ADA7218130E7FD92D4EB38CA06E11BB09A02E4E3BAD2683490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214700Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:16.597{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D10B115BF09527CCA1FB32FF2D2FDBB1,SHA256=388AAC06C3FD1E4EC8AE627F4E0ABB84BCC4B4071115CCC0AAA784A06440CE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214699Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:16.597{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=025B12EA77D39434BC95B4AD5B7A1EE8,SHA256=576BBC7465BC9BBD308A71050BB9DB7751C370C185E56192EFB729D8D1A84713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160952Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:17.764{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA96449665E79DC99F4FC673C831254,SHA256=ABDF86D8B62C0695016A62C6C709F6BE658B1ECB15DE82E79B4B6A9C21FFB6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214702Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:17.835{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5446B0FB3CB743D0D17A8A77970530D,SHA256=DCDA60293266E2B804102FC386B48171BA28E13D0D543850B6F8437D6FE010AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214703Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:18.850{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0DE798C14C0AA753131967675F0A9C,SHA256=29A6F3EA32B79170C7DDA6A12CF87736C4EA29F142E134D0A74633AE275CB2D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160953Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:18.764{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2E75F009F1D90E461032406E592088,SHA256=1D9FD71DFBF5FC9BC0253EAF6034FB0642BEB462FA5C54D7ADC9AA9FF382979E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160954Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:19.812{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA71BDAAC92844CCF723A98DDD3F445B,SHA256=C97B1BA2D8D5BBD4354B5329F23F9CE22FA83418EF5D7DF515EDB118A8074987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214704Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:19.881{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85C3696B6A723335C4D2E821E6002F3,SHA256=C865A3E632F7DEDAB61D579AA0E2624FB707E28447C5933C0F601F84945C5AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160956Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:20.889{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE111945943A515954B6221789D619E2,SHA256=E0A1785B06CE03FE024982A8C695B3D48B82C8A944377D04908392FE52A9A752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214705Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:20.896{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9731CCD30DDFD14C8E26A7C7ECD9234A,SHA256=69A3586493101651D3BF8DC5D56345F40F37212C89CE2312C96BDA1BA5ACBAA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160955Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:18.804{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52117-false10.0.1.12-8000- 23542300x8000000000000000160957Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:21.889{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B893B2B67843EEE521EDE5FC85ED0A10,SHA256=34200270120DC5F31EE9CC526956731A4F59792513392267F95EDD393CB99F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214707Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:21.915{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6ECE4BCC86B54EBAD707A299A553A1,SHA256=97B6F14CEAA1F5AA802126954E0E025F34D98F696890F78C023E0E79CD827FA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214706Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:19.190{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64774-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160958Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:22.952{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E05FBA1FC3BDDDA0040175F3D92F7E,SHA256=74C8D80F0058E15477B3FF7639F6BFB0BC66FAC7276021F1A96A58043D791107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214714Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.947{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3281F49034DE0606A96E629400A3F7DE,SHA256=1F93D2B4F1922D69CF7FD95E9E03F87DC914E81CCA492ABE8E647AAFE4271622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214713Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=268A5B81584066A7B96E45DE164DB5A9,SHA256=7ADAE880E011183ABB8F753928B18E5BF965E3DB7C8BD9DDFC2CF0A37AB69959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214712Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=5424D7FFE859E762DCE16320288D815E,SHA256=9465EF5D5BC8D4A1371F64B73EE48F6BED6FC8F2EA1A5761D2117B139091087B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214711Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=4E153D6E6BE282CA37B2EEA4355B5978,SHA256=AE13663276FC1746AF061564BD69F4CD45BB891D78A0306F10ADCDA09AEA1C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214710Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=4D0AEFD2194B8B56B717E8542F6188B3,SHA256=E9AFEAA91FC06605B9FE288A3C9141ACB78159F6C1D26926227D1DBBD95FAB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214709Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=090D37E573318EDBD3C5E8D91D2A3865,SHA256=892A1FD2642511708236AA3FFCD7E176F887DA32E3BEF172FF341CD45125C46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214708Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=FC9F4FC2EBE2281FED0BC311DBB5DE58,SHA256=89CD08F04C7DA4EB3AE04246B575915BA7F9CA00FA29906B1FCFD9015CB887D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214715Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:23.961{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AAC5403089547D3233D165229C7C6B,SHA256=2B0B3BE42644563564F96B2F18082793C013C3424F5CA7BA90B7BD84A1A56606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160959Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:23.952{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083C65F16E53BA86A0FBF6480A74E8A8,SHA256=D33479DE3DC31ECC8FA8DA959DB67D816910CE81EFBD9158009E1EE8C5745F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214716Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:24.976{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14AFAC961339BC702641399BBB4FF8F,SHA256=CF83844A1E99F83F318D5A03AE0EA8DC54D34CC6D8A1B2134303CFE6A08DFA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214717Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:25.976{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1EC79AAB79AE2609421001FD1CCC8A,SHA256=817887038E0B0204FBD7644A667F1B946C23531F177A2E7ABDB28AC05A5C9256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160960Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:24.999{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF74CB83A5656382CB52B05E0F3139C1,SHA256=66BF84339CA049121D73AE60D944F50141724386CBF2C4DA1F74FE6B9CA2B9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214718Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:26.978{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A0E596AF5304FAA4935CC54D0830D9,SHA256=FD4DBDC0A11CC9E76647BF0B4D1D40EE50680661E5C8867C305FF50228078EA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160962Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:24.758{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52118-false10.0.1.12-8000- 23542300x8000000000000000160961Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:26.030{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA24244406F4C4DFAAC11F4EAE44269,SHA256=9A307540685394BEC48C8FF86AE4E0ECC0520CBFD35F41E7B4EFFFC7FAC520D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214720Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:27.992{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D2732C6073F68D851D5948ABCC2681,SHA256=C9A2783539488A1804F64637900E91FAD46C154DE63159C7CA466CB5E620F650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160963Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:27.061{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328BF977BCAC5B27C619F58192061D5F,SHA256=EF9FE2C5693A5F43A49C99472AD024263A87C008F92DF8F6A96871AC371577B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214719Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:25.217{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64775-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160964Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:28.077{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E823624CEB80B8EAA538CCBEABA5DB,SHA256=B5174D6EF4317543650E14DA1DD48D40ADA7E258316BCEF93D4F66F099BF8912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214721Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:29.010{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F309A5F65F62647F33C917089B87D3,SHA256=DF15141AAECCCA9F08B287E9D640FCC36394334AD44307B51DE396CE1E5B21A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160965Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:29.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8103D9DA6365B5E23D843099191A3717,SHA256=E6269E61B582519008C655B02FBF7C949368B8A3E58EBCEBC440A2BD17F66488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160966Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:30.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31290432B2F004295BA3A36B296AE5F,SHA256=FE2E8B53CF92670B990604FBF407E8331ADF37F62A28B3A27F452302415CEB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214722Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:30.028{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C21CFC26EBF90D06509453682E263F1,SHA256=A0873F61B7CBCB572D3A04F3EEC69C5DA8E6EEC3F53BE7BCCD2C7624AF9FBF77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160967Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:31.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9C93CECFBE410A059D8CDB4C72CCAB,SHA256=E6357BBDA0BB1DC8A8A8870B54FA557EE1EAF030CF8DCF2647C3F99D0F6B85CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214723Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:31.043{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43E9E3076D32322C22E3C89EC84DED9,SHA256=E546E38659913AA1749436030D8C427C77A282AF843426A6E3C58B3E3986ACFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214724Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:32.089{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11457E9A04DDAEDD120C88F1A51D604E,SHA256=C76371CBABA48AD9B8FC7457BE76938A0DDBF4F4E9654D023E952483A8738D9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160969Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:30.727{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52119-false10.0.1.12-8000- 23542300x8000000000000000160968Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:32.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC01ED4FF7EDCC7854AF50BCE29F976E,SHA256=AE1B7C8EFBC9609899D7DB57FA95EDD83082F79524B51D69AC746ADB1BC529A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214726Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:31.182{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64776-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214725Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:33.108{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD604011D9CE7E8C85A40E1AA631399,SHA256=EA82C120777E9B3A89440D8B9348F39F15594803CD66664C083BF8461C560019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160970Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:33.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEAC2D01324E65F1703428C4831C659,SHA256=D8BD6AB218A143BE2E768978649B1E80689CF5B21A2F6919F7B7AABE47987AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214727Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:34.126{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7F870E81571B89D4B4586EC7FB74BC,SHA256=3A63E2F4013DD38EF7C71FE3C528EBA9D0E3E663D143311026F50F20CD40503D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160971Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:34.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA7A7C8CC2819D25069209955912F1D,SHA256=55A6568D1AD0FF14F84E3D145F107ADA7AA10F0CA09204F64C20AA700BB13CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160973Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:35.296{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5D3159B3477EE64BE401AAAABC93658E,SHA256=90A3245DB82C9F6436113CF9343AFCFB9FF07148EC69646463B9C33EB5D148B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160972Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:35.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8809EFD26EC851F28755E985F18D4FF5,SHA256=D05A78CA41DDD53816715F9C3F144B014C0D2045230A9CA515AC4E4B6B731DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214728Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:35.155{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE582EBD4E4F3DA3EDCC86868683F38,SHA256=0F59167CE88327A334579B46E5A45402CA8045F9C28BFAF086CD9469EE979B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214730Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:36.868{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9AAE6303FD42C89CA326651066045B79,SHA256=A01544EA4CEE99ED2DF7C5283F6AB369B0647C6F6F088B553066E500A2D6E6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214729Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:36.169{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A5E4937FD00917B1B2E8EDE4D2884C,SHA256=EF15D7A7563FB1A6B92ED7A7196653AA78214712DFDB4746D6761DD0F67E2196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160977Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:36.921{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160976Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:36.921{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160975Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:36.921{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160974Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:36.155{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6869B54AA8205399FA57E7F81BED9672,SHA256=277C2E325DFD3037495D38ECCBFF494A3D6AF838A11E343D1D9B74E4252202B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214731Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:37.184{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8479DBB98354836BF97124F38B83DC58,SHA256=47074A8B3B018F247AE8F160CC9B0DC1B0BD48FCCC3E95F31B137145BB8780B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160979Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:35.821{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52120-false10.0.1.12-8000- 23542300x8000000000000000160978Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:37.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A094C2EA3BB7BC10D671CD4C3B845AB,SHA256=5599BA9532FAE256AA954C747D4AB1F96C427F601275D483BEA6EE7C10163898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214733Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:38.739{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214732Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:38.185{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB4455205DDED35161E6534BE162D4C,SHA256=A5DCE0B6D65098E05E8FBF8320150023E535C7BF1B062FB0DAA4C0074D223652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160980Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:38.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F9A3B322CBB58553C2442BA5637FD4,SHA256=DC334AB1EFA7DE2F7B98CA7C5B50F42795F2E4C80031E88B4187A901A3001B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160981Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:39.170{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD2113805CE57A87211C19850743989,SHA256=9814D3FF54E8EF7E67AE506EBF087BB9EC4D91717485BE24B3062C48DF96CE37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214736Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:37.849{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64778-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000214735Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:37.209{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64777-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214734Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:39.186{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD50560F1CA1A933E2F03258A14901C,SHA256=28AF0D6593167CB410031B19764745B6FFBE39197802DE1665390A8047314DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160982Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:40.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF90A81D301FE247F959C7B3FE1AF7BD,SHA256=BC2EBC763BB3ACED362A7A1BDE6DA6E32FB4426F7B2BF82F51F9773EDEEA9AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214737Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:40.187{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1806593696FDDBE94F881F6283436D,SHA256=2B923BA62036CC34AF5A5C51343214DE1DC9438AC1CA57E58E9BE721FAE139E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160983Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:41.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51909369C122D010760317DE0854C106,SHA256=193CC5BB15A003E8DC04FF1EE7EBFAB7D30913FAB5519EAA2C6943ECB59C2A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214738Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:41.205{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C8AF90DCF49650BE1A061C8F0A3F1A,SHA256=3E319D922CA1E680AD427B6D4F7423EFADFE58337A1D826B081144694C3C8ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160984Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:42.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7D4E245403198E5BD6FF058E5ECC07,SHA256=BB6E38C557BDD254FB89F022069C53311CAD31B65E70080B01CE37B33399A4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214739Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:42.225{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B6BB8A7C14EB8106E5067356B39CC1,SHA256=8898975071596B0C75FCFE0936159167B2A2A7C4B87D4942F3CEACB776527BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214740Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:43.240{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7471318489D07DA469F30B5EEDF8FC,SHA256=D4DB5602CEF4FC31B3A577D7F6D184191EF96E012E0476D09AF0408127FA7EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160985Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:43.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90750E7795EC3B47E5EDCB283DFA7E52,SHA256=F93A21EF32DB6CC7E85C2CFEDD3C39BC018C4DD52FFE9E690F1FAFEE57FC9651,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214742Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:42.211{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64779-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214741Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:44.254{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E5048213849304201CDB486EB0C5CC,SHA256=2A6696000599C42D2BEC220C14118A68559021BC53820398F53FFE9CD873AA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160987Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:44.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656F419EBA75C0351E9FCAF42C5F5860,SHA256=AB4F4B3A5A4AE6F3231341DE207D29B1A87707A8370CEA3A30F0CCE33B6E0BF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160986Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:41.727{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52121-false10.0.1.12-8000- 10341000x8000000000000000161001Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54D9-6116-F105-00000000E801}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161000Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160999Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160998Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160997Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160996Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160995Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160994Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160993Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160992Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160991Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-54D9-6116-F105-00000000E801}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160990Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54D9-6116-F105-00000000E801}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160989Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.656{C6197713-54D9-6116-F105-00000000E801}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160988Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5605AF0A3945ED8E67DC298C61A05E,SHA256=A61167532BF47E185B79198B7FE3A138C4897B293BD24C8DD4B9CBE0A29F13C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214743Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:45.269{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189873E1A496653EF568CC93A9A17FBA,SHA256=47D23BEBB1E85AD2C887702B6C623E85A83D925D9484084F3AE17817FB916DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214744Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:46.303{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E180DC54D2599E12ECE1FB40F32EDB,SHA256=686C683F9D2DC099DEA2BF27BD3B68D102431A70FC025E4950EEE0BA387E91C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161030Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DA-6116-F305-00000000E801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161029Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161028Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161027Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161026Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161025Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161024Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161023Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161022Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161021Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161020Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-54DA-6116-F305-00000000E801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161019Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DA-6116-F305-00000000E801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161018Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.828{C6197713-54DA-6116-F305-00000000E801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161017Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.655{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FECCB7ECDCDB7796845BE61404C15B7,SHA256=F3024310D28F145BA081DA970A1B1880FB0BA3558E3F9E0F6E51EEDC25D1E4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161016Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.655{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6898E8399D02B750474E4D8E26A690F,SHA256=44535F621AA557B9F41B3425BD93A1F7C9CD28B8CE9B805D6CDC60B29078B3B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161015Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DA-6116-F205-00000000E801}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161014Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161013Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161012Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161011Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161010Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161009Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161008Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161007Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-54DA-6116-F205-00000000E801}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161006Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161005Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161004Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DA-6116-F205-00000000E801}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161003Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.328{C6197713-54DA-6116-F205-00000000E801}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161002Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCF0B8386E599108E9F13E823FBDE99,SHA256=8D30653718C6DDE23022F01AFFC05F58AF0261FB1CF3180B8007D97801803F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161033Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:47.858{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FECCB7ECDCDB7796845BE61404C15B7,SHA256=F3024310D28F145BA081DA970A1B1880FB0BA3558E3F9E0F6E51EEDC25D1E4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161032Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:47.436{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E386DDDE8B2E7A5CF643506C8036CDD,SHA256=C9F69139B096FA0E5E576C8DB47B17472C6AD702371A4F8CB98FF5BA8C0810FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214745Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:47.320{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C927E6F36BDC4C7E8598429B3631862,SHA256=9D00761F2B51924B992054DF13B64EE88F0E21E19373576E322A1C840D483B35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161031Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:47.030{C6197713-54DA-6116-F305-00000000E801}33803368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214746Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:48.335{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BC07B2357104B77A7F49AA31EDA57A,SHA256=FAAFB9E408ADC3AE26613784E635C3945AF27DFE578757D91D59CF2303C2F9FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161063Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.983{C6197713-54DC-6116-F505-00000000E801}3284724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161062Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DC-6116-F505-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161061Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161060Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161059Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161058Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161057Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161056Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161055Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161054Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161053Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161052Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-54DC-6116-F505-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161051Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DC-6116-F505-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161050Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.781{C6197713-54DC-6116-F505-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161049Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.530{C6197713-54DC-6116-F405-00000000E801}3272584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161048Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.452{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C437062E08F4B9C8A1DBDC3CC4F646,SHA256=4AA6E28A268B6CA258FB241F82FCE27235F60651C890D276E87CDE5E11EF5FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161047Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.296{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161046Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DC-6116-F405-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161045Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161044Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161043Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161042Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161041Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161040Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161039Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161038Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161037Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161036Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-54DC-6116-F405-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161035Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DC-6116-F405-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161034Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.265{C6197713-54DC-6116-F405-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161093Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DD-6116-F705-00000000E801}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161092Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161091Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161090Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161089Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161088Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161087Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161086Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161085Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161084Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161083Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-54DD-6116-F705-00000000E801}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161082Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DD-6116-F705-00000000E801}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161081Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.906{C6197713-54DD-6116-F705-00000000E801}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161080Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.639{C6197713-54DD-6116-F605-00000000E801}39481328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161079Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.499{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9324EBCB88ED3289C4F5476824749F99,SHA256=EDFD9B6EDF7579FF902FA2152DC331D9203EFFFC4DC847C2887D547EAEA65EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214747Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:49.349{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6103D8650592B899912D1EA52AEBE5,SHA256=74DD45F7BEFF114A0DF223E94CB0CA9214787D085608037C6C4D04EA7124038A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161078Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DD-6116-F605-00000000E801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161077Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161076Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161075Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161074Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161073Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161072Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161071Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161070Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161069Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161068Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-54DD-6116-F605-00000000E801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161067Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DD-6116-F605-00000000E801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161066Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.406{C6197713-54DD-6116-F605-00000000E801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161065Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.280{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A61118B0431A64D6C3B6C6730C59F887,SHA256=A037F684E618266B84A1A0C1F2349C9CB1894D5E64492BCC5BED68D0B9DAF5DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161064Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.758{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52122-false10.0.1.12-8000- 23542300x8000000000000000161096Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:50.499{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8FFC17F027339B1317548CB6812DC7,SHA256=9278BDE03972926797398A5573A89564D348CEC16906A07EE8A74A49CA752F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214748Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:50.364{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6164BA7DE0AC393F85443CF4316BADEC,SHA256=3249F2724F27B912DB6414BF869AE7306566097F485E4086E078F097E6A5DDAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161095Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:50.405{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B25F7C6AFEE4CBB2AB95F687F4F3CE1,SHA256=9546BDC63E2AFB1B495AA0A056002737E8A4F31D8320FD0B2F0489CD3A0847AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161094Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:47.946{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52123-false10.0.1.12-8089- 23542300x8000000000000000161097Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:51.500{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EDBB28243FFFF32AE173358841D512,SHA256=D10F7EAD22B6E4D098981886CC64FD68250104C21EF11C72E45CBB588180D4A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214753Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:51.847{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214752Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:51.847{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214751Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:51.847{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214750Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:51.379{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E41CD07567AB7D8835E2B0FEFFC180D,SHA256=ECBCB2A4BEE3F9A0E384A230BE31C1A753A05CAC1E9BB3E1A764D22A9F248437,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214749Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:48.222{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64780-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161098Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:52.501{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFDA42E9A47083179139B45AE15B804,SHA256=EDCDAC8C8DE9ADF7A1C7BAB2B5469C69E821670C035982337667D4B54D124636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214754Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:52.398{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BE3F51287B46AE1770B93A1BC3283A,SHA256=61EF481A88C582A499E17DFFD9D079AD8DA7BA5F628CE73BAFB57F4ED6EF5939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214755Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:53.432{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCA54C5941B879CC2F00501CF0E4F5C,SHA256=8067A284A31D45E288607C0F719FCCEAA07115B1A9783C8BE945AA214FC044A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161099Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:53.519{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40175C8B69DEB5937263D3CA7085E20,SHA256=0295C53A2223A170D83BE6F13A83EED6B42FB6603620E356CBECFAAB87024214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161101Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:54.550{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D2534B51DE9DD395BBEBBA86EC556B,SHA256=5B920AA6B586A09230F21511FCDF57FF905016F255CEB1067E382595F0C0CFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214756Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:54.448{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D34287B8E7073C20691A1FE86AB81A,SHA256=0BAB08A5D531E8BE6F57C503C8F0F5E5CF782A38EC3B9B1AEA2B36324E8C18AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161100Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:51.808{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52124-false10.0.1.12-8000- 23542300x8000000000000000161102Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:55.550{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1891C46457588D193802E4764227D3,SHA256=37BAE86B0796156EFE6383428B0FDD439AD7739A43A1BB5313E5FF9C05A18D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214757Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:55.463{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4AF11AFB62532DFCE2D2F5434F91EE,SHA256=52ED63BA5D9123889C9FDD155478852C572795D5BEAFC259478F795C9F8BA106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161103Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:56.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B5025AFC9779E577E61EBF34B17287,SHA256=F6BBD4B9082B1E98BB919A0E479F9EF00221F6B6264009713ADB647E3925FC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214759Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:56.499{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66B4D7F34F03702F17A8DB8C153F3D3,SHA256=0BD5220E9572F1D82A77DECCFF43C849C1E4F400A5CDB93CF0C825EA22807174,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214758Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:53.320{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64781-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214760Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:57.632{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C82C7BE877DBFDA1781F78DAA739302,SHA256=CFC3FA15E37DCAF23D1FB4ABA947D3BFDDD9644D8DB12FDC87CC6FBFF9F230B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161104Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:57.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57190D9EBFD72B50AE17659872F626C1,SHA256=09073C51249AA5039FD92D10A1C19EA1DBE769850FA5348BE5BA1F107C81C586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214761Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:58.662{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B55C02C63E587968E3D01622295141,SHA256=A2CB33646425D7D6439EDEAC4C544A04081DAA1C8858CA97AD28551CBF79EA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161105Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:58.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E7B7F2B75BC2C6BC63DE3E475C822D,SHA256=3CB15200DCD8185CECCA64361324D5FCF62583CE36CF872AEEFBE57BCED4B2ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214770Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54E7-6116-FC06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214769Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214768Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214767Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214766Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214765Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54E7-6116-FC06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214764Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54E7-6116-FC06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214763Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.748{079FE16A-54E7-6116-FC06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214762Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.696{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32A1BFF82645B04A848B1BCBED24C91,SHA256=AB32789C92B67F61EC8EA1EC1B813DAFA7F68DE0089BAB8D5B79F4041C4F5EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161107Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:59.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD1374A5C4D1EB45F9B0A9455BA2830,SHA256=86846FF37B1B4DC67A3E5EF8F66A19899B72143C02C519C40BFF45CFB2D89B62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161106Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:56.919{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52125-false10.0.1.12-8000- 23542300x8000000000000000214782Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.751{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8176D22A77A2F2463D6A9BE1B80A287,SHA256=E6425B60047F1A8D140BEC5EFBA4764C3884B0CB10F12862139C0770D1BD3845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214781Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.751{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59B653ACF60816275BF7AF4295A492C8,SHA256=DA03B7DEBFE130E9F8F9EDEF810FED2F2E60529F3DFB710DF6B2403793EF9D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214780Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.704{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDA1B489B309F8D60D9E2BBC2472712,SHA256=FEC1B232B8040E4939B54E89BC38D881808860CD482059E31856BC66D68CBBE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161108Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:00.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74AD584BB4A0E49D0350C981AEC46100,SHA256=EC3D3AF0F648EF5BBF5F2714BB8FF97B24B6C95FE557EC4B2E73F991EBAE5BE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214779Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.635{079FE16A-54E8-6116-FD06-00000000E701}41486008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214778Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54E8-6116-FD06-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214777Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214776Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214775Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214774Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214773Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54E8-6116-FD06-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214772Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54E8-6116-FD06-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214771Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.421{079FE16A-54E8-6116-FD06-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214792Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.752{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F9BDE66A2019853F68B19DCDE9342C,SHA256=0BA0E07045A08595B8440FE99E15A3CA1D4BDB214707FAD94AABDA125F6FB035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161109Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:01.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724FF7BA6A506C518A95767E50B9A406,SHA256=4821D889920EE5996F659E7153D14B7BD27FAFD15BBDDB3B543A07C364C0AF93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214791Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:58.356{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64782-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214790Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54E9-6116-FE06-00000000E701}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214789Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214788Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214787Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214786Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214785Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54E9-6116-FE06-00000000E701}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214784Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54E9-6116-FE06-00000000E701}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214783Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.084{079FE16A-54E9-6116-FE06-00000000E701}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214804Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:02.766{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AF63B0C8C0A36DDEAB58D035B229DA,SHA256=A12B067204E273DB5A9DA8ECC0443F6584C1F2AD90AA5103F095A56BB5F66BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161110Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:02.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CCD7BF9495DFDD0A7B74D9D0C9EDA4,SHA256=36C355974FA8927EC12E37A26B051840AFA0B95455334072B746F6971C62043B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000214803Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000214802Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b4e255) 13241300x8000000000000000214801Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0x7f437ea2) 13241300x8000000000000000214800Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79034-0xe107e6a2) 13241300x8000000000000000214799Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903d-0x42cc4ea2) 13241300x8000000000000000214798Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000214797Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b4e255) 13241300x8000000000000000214796Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0x7f437ea2) 13241300x8000000000000000214795Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79034-0xe107e6a2) 13241300x8000000000000000214794Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903d-0x42cc4ea2) 23542300x8000000000000000214793Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:02.120{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8176D22A77A2F2463D6A9BE1B80A287,SHA256=E6425B60047F1A8D140BEC5EFBA4764C3884B0CB10F12862139C0770D1BD3845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214814Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.850{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC17B2F5DBD7324CC4CB7CACD0F269B1,SHA256=7EE6450DD3DA12E2899559A821B66E12B1F6A700490D33404B746C6DCF47E6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161111Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:03.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E21C4C21519A0DDBF64DC4DFC03FA9,SHA256=76CCCC6325AF8FCE987B8DF99DE40E021C1BC020942D761AE98E23EDA1977C08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214813Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54EB-6116-FF06-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214812Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214811Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214810Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214809Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214808Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54EB-6116-FF06-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214807Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54EB-6116-FF06-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214806Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.752{079FE16A-54EB-6116-FF06-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214805Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.151{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59E26942E9981CD9737B347A7F83FCFD,SHA256=69856175ECD5EBF5A04B4CFBDEB704857459143C6A8DF1ADB99881E676382DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214826Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.903{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73834F3E389A45162305E2274DD1EB2,SHA256=7787E3A74BE6C8C9BAEE975624AAA8141530723FE16BAFC70AEBA762AC221169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161112Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:04.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EAE721B27CAB61CF4E92CFA763AB2F,SHA256=5B68E1C41EF0C9A50C436A4CE4E8461D93392A6ED5B1B2402E09D32AF3B66E7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214825Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.834{079FE16A-54EC-6116-0007-00000000E701}33601412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214824Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.703{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CED16F5219E6A2D70EECFAB888306AF,SHA256=11F601E6E95094311B2A88379279CE485FBA93E296054751E46507B9F151B2C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214823Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54EC-6116-0007-00000000E701}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214822Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214821Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214820Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214819Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214818Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54EC-6116-0007-00000000E701}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214817Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54EC-6116-0007-00000000E701}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214816Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.620{079FE16A-54EC-6116-0007-00000000E701}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214815Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.081{079FE16A-54EB-6116-FF06-00000000E701}12325008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214846Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.918{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BDA092C26010880432DE058160B333,SHA256=88173D86BA5A8B3FD4A54BB644D4B8AC246075F862AD34853D36080CDDCBE9F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161114Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:05.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F533E8BDF1D24AABC72E5DF4BFF18E,SHA256=3AB77C22F0B7A4671365F34177C1A8822B75BD5554BCFC4E2CAEA56069E92390,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214845Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54ED-6116-0207-00000000E701}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214844Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214843Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214842Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214841Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214840Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54ED-6116-0207-00000000E701}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214839Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54ED-6116-0207-00000000E701}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214838Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.781{079FE16A-54ED-6116-0207-00000000E701}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214837Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:02.807{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64783-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214836Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:02.807{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64783-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000214835Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.349{079FE16A-54ED-6116-0107-00000000E701}22566644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214834Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54ED-6116-0107-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214833Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214832Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214831Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214830Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214829Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54ED-6116-0107-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214828Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54ED-6116-0107-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214827Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.120{079FE16A-54ED-6116-0107-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161113Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:02.904{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52126-false10.0.1.12-8000- 23542300x8000000000000000214848Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:06.932{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9726C8DD8463FF0D60287ADA3BEEB59E,SHA256=946DB35AB63F276AC2A1CB255B7103BCF5DFD5F97E073331577C42BF31CFFA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161115Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:06.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580B9E742F887A788DC3D3D5AB67BE03,SHA256=338CCB695ECE2118937508647DB40D155C8CE392EE506DBAAFE16A6EF5143102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214847Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:06.133{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=102B72B8827C20C0D574405648E8F525,SHA256=9FA5D5DFE504E93F4255B46A01D0A719CAD1165089FADE17C49A7CB6A3E4F4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214850Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:07.947{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCBA74E213B85280B4001D5517DD676,SHA256=F628FB92C5809D114F224198581E6883A7025FDE078EC6CD2552A2BB3A14C556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161116Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:07.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9930FA19A0008C81DD7304A00C8A0208,SHA256=F1B0402063FEAD04AC03250DB522B759E1032C8A91D5BA84FD27E209A51DD4B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214849Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.358{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64784-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214855Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:08.977{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A404463F04BA4C0B68650D7364C82D00,SHA256=67FA7DF501095DAD905923A3BCE13E914A47B0DBEAE77ED93850FCF17EED4202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161117Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:08.628{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46019569ECDA63DB54178093F51F6EF,SHA256=8CBAE3BCC804ED8A466CA13E6DE321F26C3980331BD089F07F50B91D7881153B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214854Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:08.100{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000214853Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:08.100{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214852Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:08.100{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb4f7f1.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214851Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:08.078{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\aborted-session-pingMD5=CAEA4F5BD0E545848441AA79CB952B91,SHA256=639DAB59D87158DA6BDEB9DDE7918AB07A27F67F22BC20480D5CF682B4A91651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161118Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:09.628{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AD1844F4E41F43C40C9E0E4088A73C,SHA256=DECB5981878061796FCA7F319E492EE79F39F313AB62F648157A5D1381525B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161120Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:10.628{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B096E8D8567E80AC7E3FBA95890851,SHA256=9A4D5BACAD6EE39ACBA070D2418271C072CF35953923E3B37732339C33E48D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214856Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:10.016{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89C9C41393140062A15D50C3F5A6421,SHA256=4CCFAE979AD1C54CB95890DE862DE66893A2CF907F13FFCE2E75F2604B347944,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161119Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:08.794{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52127-false10.0.1.12-8000- 23542300x8000000000000000161121Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:11.628{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACC901FE94B7D08C46469F5ED27872D,SHA256=C75986B17413A54C40258AEB1A8202513B5725F20033A98035FFE107D495000E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214857Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:11.045{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19E2EA0039B8AB45B9788EE49C80467,SHA256=6295F48301B9E614242CCC644A524E25E455906AB285866CDDC3431F441B2331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161122Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:12.644{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE1E1524B19430BDEC76F3DF9E7B7F2,SHA256=32362B5A0E7E8EBEED8308DDDF5171A15A9D6EA547B132CFAFD22A647E5FCF5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214859Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:10.170{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64785-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214858Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:12.060{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862A87184A05B5A7BA875C76494AA4BD,SHA256=292C7A24187856B1B468E6C91A7119662AFFF9E887D62F205698250FC17C1667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161123Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:13.644{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BE225CB6D72C42A66982354BF94BA8,SHA256=DDE4ECDC16DEB8179E986AE91888F3B5A49DD56F9B7294A847612886DC1E4402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214860Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:13.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEA43B3395A59C534A8A86BE8A5674D,SHA256=1D4EBAC3CE9B9031FA0D37C750F816260A929393A4B067D72E6957BF9EBB8A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161124Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:14.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9A4ADAA57ACA7FD1D7F0D056C4B591,SHA256=9C204B1F8F6E7D9D39A0D8EF7D2C00B48FEB1142F24457C45B17FCF341197D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214861Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:14.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B2F61521CE16DACECA166EF2E5C6F8,SHA256=2056CE93EC94211A7B9972C74EEF7C37E73DD2E89C4DA35877AB0B298F4343FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161125Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:15.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404755EEA358145304C464D9CD989B65,SHA256=0231912D12D5A30BEC67C0ABF89EF88932AEDF598F7F2A2C35FBEAB7EA05A0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214862Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:15.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FFCE413A85466972F69B06B4C5B2B7,SHA256=9887CD5EACDD31B3E90F1A66FC0A3EE603872787A34CE906EB880AD94B187F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161126Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:16.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE3264CE6232764E9B42912510686C0,SHA256=D48EE01326C22E63424A570337900A9A2B85221EBB554B72C981B772FA1E56AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214863Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:16.095{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3640C20D27F7A5C3A60136E1EFFA10FD,SHA256=7FBEE11D8C65F7B797A86C3D40F2DAC2C84A53E39E9A17575071A33A87C038C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161128Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:17.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096FE8E199E4E280A91665B0A7868F69,SHA256=583AF7F311E1B53825A94D941A32CE8AC239EA894C265F055AB3FEB3E24903DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214864Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:17.112{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0159FBFF45C837DE78828280678F5B8,SHA256=5AE69F601F76E631D9A621508CF39EFF2BB2756734281EE965477CE22BA9835B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161127Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:14.810{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52128-false10.0.1.12-8000- 23542300x8000000000000000161129Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:18.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CC40E3FCBE949EFB400B2030AE2684,SHA256=9E6B4802F4DB1A3AEF235A87F6BA2A475E5804460E90329F5D9B780269B67208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214866Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:16.215{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64786-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214865Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:18.126{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9697EA0F917D605CC94EF250F1301230,SHA256=41FF90530C57120ACCB2DAB122A8700436F26E983FFDCB032A7D866B335B51DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161130Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:19.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E17483F49CC0C50D95F8822C970F438,SHA256=64E6A3DE1BBD849B3A3D31F9B2DCC46399A966E6B9F8888130E2158D2BAEA019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214867Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:19.141{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F37FCB999C42BA64550121733D3D2C,SHA256=2EC30E7A96A7B3123FA6D5B82FBC9C498F7EEF8FD3AC570E5733D78A95372B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161131Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:20.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE006C8C68EA9A2FE8A6A0D9F3C35A26,SHA256=5599B592CEE3DA0FD81C13D4729924B26FF47B5F37AED48E731381CBBA9DE8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214868Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:20.156{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC93DF6BB386BF1F987A9B49B92AE75B,SHA256=C5D63481EB02703B0A1BE506996305B2577D8683681FE1476229EC9C3EADF58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161132Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:21.675{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206A07968D4412E2F5B0F958D185814D,SHA256=23F5E3A43257D18DB250B44AFDFA323C374B1D26680CE758476BA57388E08447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214869Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:21.171{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A5102B1DD6AB57CA80B5A920185428,SHA256=BA9EA6000CBA939ACE15B593F791C9956727648EC15D95ADEEEC3362AB610C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161133Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:22.675{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C0335D0AFC59BB006F3B9E4B5B50D9,SHA256=4E3E1C4B5910E41D4393C962403261E9466593162A2D40B4064B149C8B0B2B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214870Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:22.188{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9AFEA70699E5487F6D9C28A97EEA37,SHA256=1EF3930C6B8592A6EE182404FC31A108A6C819EC00FED1856D4A0A8BC6A6BE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161135Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:23.675{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B64A280839905FC041752A61D826A12,SHA256=1BF08FA07C4131F2FD15ED5828EE2526E2AE2ECEA637E0CE0EB8A2259247BA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214871Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:23.207{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C24F4B4D1D6E458BD9554700BD658C1,SHA256=617B2AC5F436A20708F764BF1DF7B6337B179C05412930DC3783229A1159E9A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161134Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:20.842{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52129-false10.0.1.12-8000- 23542300x8000000000000000161136Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:24.753{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EA1A7897A78D852BE7BFF28DC78003,SHA256=0C940B1BEEF869286A72EF692D1070DC9899E69FCF3C00E294BCF20161D726B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214873Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:22.210{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64787-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214872Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:24.221{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6200F7122CAE9340F404901A71629D,SHA256=FC5D3F226F228BF6175927B252FAAAED6330D99BCF48570DAB7BB5616F961B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161137Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:25.769{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F570E894F399FDC36F26F3324F8001A6,SHA256=6F557B36E73752A9F6BC55AD22E11226B85C322EFF05711F458C31D0F3A84DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214874Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:25.236{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763A7F1B3E8FAF689AB920C295476931,SHA256=79D40877F437C68A9F76A0D0D224C522A4056C9B031F3222B2E44DC2D9D0405E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161138Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:26.785{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B73C01DC636F4774A9851CCC849B4E,SHA256=8091A49014C59A777C1CB10BBB4D5ECD9BA8FC5BFE80C847DA4660F06418CF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214875Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:26.250{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0025CE4272960B53FA22435D833DDFCA,SHA256=D0C059A818A67FCE3B92F1F66F07A43C2DFF1EE75695AB1ADE5154DBBAA462CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161139Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:27.816{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B85831340822FCFEF3E554477DFFCA,SHA256=90E93CD7873439845F2E6FA445D38A2E6150699AA3F5EDE4EC7D32D55D459D12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214878Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:27.733{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214877Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:27.733{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214876Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:27.264{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A363A361F97D43A7D8909CD3D98C7A,SHA256=5B195E181BD6F0D993BC96DDC80E5C4FCC608BD3D49DE707327216C82C3E6935,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161141Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:25.889{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52130-false10.0.1.12-8000- 23542300x8000000000000000161140Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:28.816{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13AC366C7C77B9083782AA2CC792404,SHA256=AFF8D817FF869CD82D77A00E88957D48795D9A98B0EDA206813771B5DCC4B419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214879Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:28.283{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04363F8BBF33C949AFA350505F90FBDB,SHA256=93B403ED9BC0A33242875D4916CC181CBB8092908D5FBAF9049A1350E6592346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161142Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:29.831{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54E12E397E8E5C5334F3A89F63694DE,SHA256=F79BBBD79465D1BEEC9BC1FDD51B3D6696F99364D09852234577C0EADFB97771,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214881Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:27.243{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64788-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214880Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:29.316{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47F36DC0DF79E0E36E9414A05B30664,SHA256=0FFB892E0F1EC3C4336BCC9A85C84F146B1ED821B040A1AA8D9EA1DD194BAE9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161143Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:30.831{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34899E0022E7BFB3DB1DC4DC0B9F5587,SHA256=DABB218F9597E9C8E5CF62542EA95D16A1F3859CB1CF682E79E059BC41EB43ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214882Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:30.382{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4EBF748F366C12CA0B91F50F4BFEF1,SHA256=86B2745B7DEADD933CF2B4EE248FDBAD190902A6165A971CF475691C599E1D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161144Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:31.831{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE9D41AADF31AA8D82CA83D92B59D25,SHA256=3FD403B4FDB5CF64995CE7FF3C8CDC7465A7798D573454E2B7A79E0981977D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214920Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.679{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D514106C2C95D9462B339393F67FCF1F,SHA256=4977F862D496055FEACA3F4819E1B3419B5B01C0B5FD1F4E405702ACB4A6D0F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214919Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214918Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214917Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214916Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214915Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214914Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214913Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214912Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214911Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214910Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214909Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214908Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214907Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214906Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214905Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214904Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214903Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214902Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214901Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214900Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214899Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214898Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214897Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214896Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214895Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214894Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214893Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214892Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214891Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214890Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214889Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214888Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214887Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214886Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214885Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214884Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214883Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161145Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:32.831{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA930EDA888C11EE2D20AA552CD703CD,SHA256=7D6D17C01E0D6297D618053447932C4FB1C88919F4B1CACD0E127A5367DF54B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214921Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:32.714{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28DC76227569526CF42B8ED19194B0B7,SHA256=B5C21917B779429B46F5059DF327CF47AC9914F1C5DFF45BE7DF12CE8537A2A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161147Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:31.764{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52131-false10.0.1.12-8000- 23542300x8000000000000000161146Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:33.863{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815BED63DB6BFFF820EAE1DC1F9F8625,SHA256=2605BA0386648425F55866B767F26FFA891F49A0E8E479065806EEC3441B17D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214922Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:33.728{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C20537029BD9069B88210A6A5E7DC2,SHA256=FC018050F911678F73CB08FB57FCB23DCFF1CF9E4C765FBA465F14C5FC9F2827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161148Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:34.878{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFE9A0889914F211BBB0762772FB467,SHA256=65CF94A377D8746897D6BE74A8436725584617E70F2DB583012F50187203CFD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214924Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:32.285{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64789-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214923Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:34.743{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265942110A63EC2761885BDB204FE508,SHA256=D44F443C1D9151A319E033CDE9A927E9106D94CE97E3372B6EEA0DFF129BF26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161150Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:35.894{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F7B3201F7704182A58BD0395947B28,SHA256=425FD47616E39264494C4FBD4BE509E0D198EF37A66CD5233FEF29F355F40A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214925Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:35.778{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B343FEFB34C1548E3FFEC5C6ED5DB3,SHA256=593C47FBE2871AE82CC2DC704B250C3290F9169476DB1D3F982EBBE832B42DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161149Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:35.300{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=77C724432076DB40D4285CBAB5867874,SHA256=EB3DCBA7AF50F0A7510DA6CBCE1332608391F69337DE3CB262808F1C0B0663EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161151Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:36.972{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AACC35DF8E5230325992AD64C67597,SHA256=7F02B4F7B874288001A3F08C8FFDDA1408277AD3CA0C2569E22FE83C719FF541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214927Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:36.873{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DB7301B2DB28F811A94C84CEA421A9AE,SHA256=1D21D1A99D4D9BEF4237FB91FCCE591243AEB9C0AFBC2CBE79AEFD374067161F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214926Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:36.857{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6A35E8EE671F667DE666320AD217F2,SHA256=B8969F114496B4B79872D62388052DE9F55E2FE7ED0D5D67FD6C7A4E352907AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161152Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:37.972{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F3F294E06FF84AD6933DAA0C6A65DE,SHA256=B9C43B25187BCD4AD5D46B754AE7FF59B9B3087B4309318F1BC7F33C5165DA4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214928Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:37.874{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318FE2B6E5110C6298D527D73B8D5CD4,SHA256=39E2BCCE0F909865165FBFDE04925C94066BC0DDA91B4E51ECCDE37A44DB6CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161153Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:38.988{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D730B5C2E3C4A733976D5EEC28D54C,SHA256=554CCFAFE9795C163EFE04D6C59FD506451A6C284ECE2DA0FEEB84DE46C8D9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214930Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:38.892{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A16156DB33CA066555B0C4A0EA8B38,SHA256=7D2FD56748D1DF55A467E9BCF961218513418DAF570A5F4A5A762AD6C2926C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214929Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:38.755{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161155Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:39.988{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE91BD82FAB60378EA0E7EC3B9E2E8E,SHA256=B8BED75A9D11FBAAD47EEC046F8ED816D4CABC4E89F0A3B819538DB329ADC47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214933Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:39.923{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF0AD42E724F2FBBDC6CB3358C45364,SHA256=E764A67CDF49EED1D6A7883E1FE3D9EDC74895C459DB24DBDDE169089BB54A72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161154Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:36.780{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52132-false10.0.1.12-8000- 354300x8000000000000000214932Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:37.865{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64791-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000214931Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:37.296{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64790-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214934Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:40.953{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E24E889C603D8605D00FBA2A9E933D,SHA256=1A26E1F7282F0F77D9DFDC74B8C2B61AF5C93522D5EFCF5C7F1520FBFD0994D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214935Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:41.971{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF04B4FC10858EFE4713BB968C8972C5,SHA256=0748896F71A43EC1E0ACB48473D6BAF4C1A046419C8DB9CA3999D173ED2E0844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161156Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:41.003{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9232A021497686427C149790EF9B3C,SHA256=69828AC60150D8E00B7AD2B9C45059729381692BE26C9E1687D0D78AF0F07AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214936Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:42.989{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E1D6404210F8478B3FA6B4D26C6118,SHA256=10EC72DE7BBCD1673FDE896CFB1C6A064672E38C32B93A4A58169494D9F10A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161157Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:42.035{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DA57027CC07FCCB6A37E23F5BED5DB,SHA256=C344CD18485E2915A3138B7A54FE57014FDB7FA3FCBFE67CA1352FDDEC4DFCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161158Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:43.035{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A5028E93589EE421D2CA9E6C01ECDE,SHA256=C1A37E385A642A50D7479ACDED0CD673226011AACEE4C1E1391E3FA939E6867A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161159Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:44.081{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A352505A844AE440A1ABAFE37AF74FF3,SHA256=2888D4DAA477D43A1B26E3E36049B8564363CDF22B5E880EFD3D28BDCD16A938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214937Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:44.019{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9972435B9F3175B728EB822B33F0E4DA,SHA256=86044DC49CCD6E2939C00F1725A8B259425CF4949545AF0AE9B339DDF2C97E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161174Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5515-6116-F805-00000000E801}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161173Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161172Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161171Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161170Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161169Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161168Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161167Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161166Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161165Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161164Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5515-6116-F805-00000000E801}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161163Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5515-6116-F805-00000000E801}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161162Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-5515-6116-F805-00000000E801}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161161Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:41.811{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52133-false10.0.1.12-8000- 23542300x8000000000000000161160Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.191{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF487E4EACEB15F5BF1CCE04D1E258C,SHA256=47D9881DF2B384625A32BF2D6D220B0250B91F5DD4BCD7E6DCB62A1999A5B791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214938Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:45.034{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B6B8ED835C45C624E462A90ED0C09B,SHA256=351D765EAEE006E497295293E14097ADF3F8DD9FF661FAAD446AF369DFA2A2AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214940Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:43.313{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64792-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214939Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:46.051{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB3804AA93DD088C575C3E3777D2101,SHA256=91E2B7CD72B99E5A5EDD41492DEC7F8A2BD507250005FDDD5FCCE8FF315E3BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161203Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5516-6116-FA05-00000000E801}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161202Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161201Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161200Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161199Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161198Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161197Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161196Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161195Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161194Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161193Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5516-6116-FA05-00000000E801}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161192Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5516-6116-FA05-00000000E801}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161191Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.832{C6197713-5516-6116-FA05-00000000E801}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161190Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCDDCB701817884A6F324D2BE14DE428,SHA256=FCAB3388C0E90A6614F615CEE628883F2E5812B9DD0DDF34BFF548A623BBE8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161189Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B88F6A41A09DC029F29D84DBA71DCE4,SHA256=E2DC4EC9FA60C8E684B892A33AB8F68937687E7D2829F8C3437D429CF6D3E493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161188Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5516-6116-F905-00000000E801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161187Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161186Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161185Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161184Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161183Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161182Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161181Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161180Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161179Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5516-6116-F905-00000000E801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161178Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161177Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5516-6116-F905-00000000E801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161176Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.332{C6197713-5516-6116-F905-00000000E801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161175Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.191{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE09979F5001B1E1B63D1FD9EE852E80,SHA256=B20DEC31E6214D3F0CC7BB09936274D6A6C5B1B6F9911DAA4AF19C7949C14558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214941Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:47.073{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B455695F963A1126CEA95603F4F09BA,SHA256=E5E63C109A52A3EA1887AE0643B6FE9D659BC2257FC12D17FB66B8C2C0954101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161206Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:47.910{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCDDCB701817884A6F324D2BE14DE428,SHA256=FCAB3388C0E90A6614F615CEE628883F2E5812B9DD0DDF34BFF548A623BBE8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161205Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:47.300{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C73067F487C94B785D2BEFE2EAE434,SHA256=CE1DB5AD3E1F99027E97D8ECD52EBD3D7E8B1E55EF64DCCFD62D1FADB55A58F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161204Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.988{C6197713-5516-6116-FA05-00000000E801}9283944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161236Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.988{C6197713-5518-6116-FC05-00000000E801}3256416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161235Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5518-6116-FC05-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161234Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161233Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161232Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5518-6116-FC05-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161231Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161230Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161229Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161228Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161227Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161226Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5518-6116-FC05-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161225Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161224Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161223Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.786{C6197713-5518-6116-FC05-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161222Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.503{C6197713-5518-6116-FB05-00000000E801}3488348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161221Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.316{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FABE4C81A85401AA7C1A19949E5E77F,SHA256=DA44C3A89E6EF75763EA7CE3B0FD7E9DF87DD57A41598DB87CEA89838C775B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161220Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.316{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214944Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:48.422{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214943Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:48.422{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214942Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:48.091{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB4DACD73AFDA45B415B0EBD6CA8E42,SHA256=9BE69240F05A7724509024E0B6DD7DA2D5988947343CF484A725933B2650A93C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161219Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5518-6116-FB05-00000000E801}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161218Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161217Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161216Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161215Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161214Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161213Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161212Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161211Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161210Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161209Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5518-6116-FB05-00000000E801}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161208Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5518-6116-FB05-00000000E801}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161207Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-5518-6116-FB05-00000000E801}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161253Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.613{C6197713-5519-6116-FD05-00000000E801}32161736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161252Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5519-6116-FD05-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161251Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161250Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161249Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161248Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161247Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161246Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161245Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161244Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161243Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161242Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5519-6116-FD05-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161241Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5519-6116-FD05-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161240Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.457{C6197713-5519-6116-FD05-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161239Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.363{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1549F7F3CEDC829EE7F88505A26D8F9,SHA256=AD1DA80A9F6E1DC1B6550B519E32992C7326511D2A18BD714908566943A1E293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214945Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:49.121{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E00B2AE380EB819BC5FBC802E2C1107,SHA256=991B49C21C3EB65EC5AF0C61F3D079A714A6C997A7E0986671A895D1E07E3BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161238Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.300{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=087A5E671486F8B6284F84C0704D4C9B,SHA256=A8B4903E1578E9983E747BEE82F3400982DC87DCFB7D4C0B73923C4836D6C365,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161237Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.920{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52134-false10.0.1.12-8000- 23542300x8000000000000000161269Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.910{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BEA1AECEA3138D036CF7AB680516CA,SHA256=3E93244045C73F2959ACA5F0A7B211FB54F71D41ED48BF0C5BF335B260EAAAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161268Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.910{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A1F35820D4344AB24473A201EB6D8F4,SHA256=C40590A54F1538BEF3CB060AFF415612B2D827C01C50FD70CC65DE9C78C59A70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161267Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:47.967{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52135-false10.0.1.12-8089- 23542300x8000000000000000214946Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:50.171{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB9C9EAC1ADB71146B657CEABB13C9F,SHA256=F8A83514C9A95DA909878BC8C91F871AA478434C2679A3B07BA624A8F4C65B47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161266Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-551A-6116-FE05-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161265Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161264Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161263Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161262Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161261Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161260Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161259Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161258Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161257Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161256Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-551A-6116-FE05-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161255Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-551A-6116-FE05-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161254Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.129{C6197713-551A-6116-FE05-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161270Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:51.597{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB75CC560AEC513131FF3A24B8A16016,SHA256=2CBAA712BD785842C54BB131CA4328E425851E5435C5ADFDD863038939BBC4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214947Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:51.189{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921B03EF93CE0F1503C915F6E8BC93B1,SHA256=F3E2A91498D9B0ABDDC3836955D38837010FB24B0DE14D2A403181157CFF8AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161271Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:52.646{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DD01740629AE907283779622E81E3E,SHA256=951068A30EA2D4245F2B86897961C236B37435475058F2DF988DAF179234F450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214949Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:49.331{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64793-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214948Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:52.203{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB11E9386FE139B717914470096780D5,SHA256=0D97509EB43FCD8CE7BC2705C305F654CA788A3376A6F7B3B87C3B56CA701999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161272Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:53.659{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB2E8FB27B1E75C25C52D58CAD3614C,SHA256=0CE94BF34DA68ECACD428F02DC4CBEC5F512ECD7CDC1D5BA556ED393E4143EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214950Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:53.218{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC55B5DEB8541D5A776785CBD3E8CCCA,SHA256=A05C76B7A70CF628853CA23F634B92E349683970A0DEC8117799ECB3685C9FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161274Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:54.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6546BB98415F22F70B52EB77B80A17,SHA256=FC78F970144EE080AF49A85AA16FC95F34D5A0D9C110CD46A4A37E46B2EC217D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161273Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:52.733{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52136-false10.0.1.12-8000- 23542300x8000000000000000214951Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:54.248{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12C0C0D5FFD80251F9B6D2661EE95E3,SHA256=6573FF4E999176348B66257AEF303AE77EF5356C9B67217284D60428E0CC9E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161275Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:55.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DFD377E9D47C1419A1669D9B0CBCB9,SHA256=3A60786ABC7B244E3CA2DB6D18FCE6A121CFE776D454E0CD3CABAAE40BB64CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214952Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:55.248{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9331799BBEEA40D59EC39DA728A09D,SHA256=ADF223899CCDBA8355AD853098F4939F2976345D58049C0FF40D7F0DD227EBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161276Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:56.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AAFC3776E5974C8AC3EEAAA4AA21FBD,SHA256=42FFB8C4F5A81DFB439281E372D140AC1F5FC85987E697CAB5F1E2752921D1AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214954Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:56.647{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214953Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:56.266{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E9F349F5266285EE9CB8454CF613E5,SHA256=37F229FA6FC11CD671F222156B92E9AA5670A5D47174D620D796739BA1D72801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161277Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:57.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B152110491FEB93901F0972A4273B282,SHA256=966861E57131CC1328B0667F3855C8291CEF947419637EEA698707DAEBD856D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214956Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:54.373{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64794-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214955Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:57.300{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DBBB1F2310DF3F373993DE85FE896A,SHA256=C319DD53B7F3A6C4C4DAE8CF4CD184D375566F87793D40CFBAA7D69636134506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161278Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:58.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A784A9E75943E11478739163FE804B8C,SHA256=BF716F9A04F398F96EF586A618D0250E0AB13A554A2C8567AED1A593E3CCEE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214957Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:58.314{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FFA3A7DF0A9101B3052010FB497174,SHA256=D183EB37D68667FBA122A2C9256B47B1C2D126CE0FA500C1DE0351F1A2674A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161279Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:59.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EF5378DB479DC16DE633F11982C530,SHA256=807C2229A6A5C39FCFD70C5A63089278FCED27B1F9C6AA630DC49ECB7A5E4601,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214966Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.766{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5523-6116-0307-00000000E701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214965Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.764{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214964Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.764{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214963Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.764{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214962Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.764{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214961Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.764{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5523-6116-0307-00000000E701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214960Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.763{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5523-6116-0307-00000000E701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214959Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.762{079FE16A-5523-6116-0307-00000000E701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214958Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.329{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD13F5023A7832C934392DA793E30A6,SHA256=E454F887E3A4249B54E5567D170B314E310877B8209ACC1AA73CE873E85D5DE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161281Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:58.767{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52137-false10.0.1.12-8000- 23542300x8000000000000000161280Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:00.693{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C826DEA6D195CED0CA58AA59B80A6638,SHA256=D1A33CE54FE6F0ADE239E7B23D868975EF0DF83104B6DED0AE6A317CE18E6FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214978Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.771{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C25D9D777808EDF7E8746AD16DADCFE9,SHA256=7A49CA2B5F835D0307F09E253508244436A3FC9EBB2EBC37DB5E9FAA867559AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214977Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.771{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03889430E4E9041C3BFFBF86DC6DB76A,SHA256=CDCB5FEB50C1A21C2B2213EDF966C2B19E3F3CFC15D78FAA7331F40238F221B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214976Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5524-6116-0407-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214975Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214974Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214973Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214972Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214971Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5524-6116-0407-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214970Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5524-6116-0407-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214969Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.424{079FE16A-5524-6116-0407-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214968Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.354{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBAD051309AA5606AE7B83B01A4D7A8,SHA256=5D9D5E2726F5144C766AC766FB377FEF0E04CC13CE39A8EDC6EB2745B336B0B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214967Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.078{079FE16A-5523-6116-0307-00000000E701}43806744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161282Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:01.693{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08618CBE7C6F193E635A4F7DA468372C,SHA256=B8EDAD51A85F0D37C814E1C5E8DC2C62D063AD973103A79A9FDD57FB4560A07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214987Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.370{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D41C34F35F8A086BB4CA19842BBB7F,SHA256=9E8E37CE1B9D8C35FDCE9E1D8A3F06895B87D0245D1F51C53B574D90F1359280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214986Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.093{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5525-6116-0507-00000000E701}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214985Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.092{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214984Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.092{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214983Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.092{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214982Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.092{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214981Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.089{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5525-6116-0507-00000000E701}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214980Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.089{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5525-6116-0507-00000000E701}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214979Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.088{079FE16A-5525-6116-0507-00000000E701}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161283Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:02.693{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825AFFF2A60E7B30A52574F9AFC07896,SHA256=355FA460B95C1F3FA4B26BD95BCAD99C1CDEE03CA70E3248E518E7E5C706B540,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214990Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.133{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64795-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214989Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:02.388{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35122A1BD202B16DBB713FEF0E00D31C,SHA256=22F1F1CF4CB1FE7EECB388AB02E03491C5BB32E07C98B5CE0106C5E76577EAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214988Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:02.107{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C25D9D777808EDF7E8746AD16DADCFE9,SHA256=7A49CA2B5F835D0307F09E253508244436A3FC9EBB2EBC37DB5E9FAA867559AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161284Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:03.740{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE3EA24409BC4EFEA4C9715FED2608A,SHA256=A70E96714EA60EA6D5A6188D445D235F2667F4810B17D5FA28F0A2FA57164AD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214999Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5527-6116-0607-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214998Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214997Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214996Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214995Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214994Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5527-6116-0607-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214993Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5527-6116-0607-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214992Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.754{079FE16A-5527-6116-0607-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214991Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.421{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA96471D7CE3C64D9F05CF8C1C212C9,SHA256=CAFABEE41EDB3F5FD4AD4D583134D13B380B2EB7E63445352DC326241FBB1B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161285Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:04.755{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3613A9AEB8C9703F3F76BAD2439E7D8,SHA256=45C22F72FFB2B821EF7837479D543F6F117C81911CC82AFA591656FB091565F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215011Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.707{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCB3E7B88CC8A2E562C40F97DE82173E,SHA256=52314C7452A5250D167108B561E38EF823923A49FCBC1E8563B1C8F1C0C69339,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215010Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.591{079FE16A-5528-6116-0707-00000000E701}12326588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215009Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.439{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8029AFE40923DB7004C41D3ECE183D0,SHA256=BDEEB5B5691A6934F5DB88798FDD883DE4CB0FE221001CF962A35292AFCF166D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215008Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5528-6116-0707-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215007Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215006Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215005Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215004Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215003Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5528-6116-0707-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215002Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5528-6116-0707-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215001Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.256{079FE16A-5528-6116-0707-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215000Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.023{079FE16A-5527-6116-0607-00000000E701}71446240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161286Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:05.755{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9553E15E0E6238B11B82C826671310,SHA256=683FE629AAC69726879E86FD0E12202A165E31FC0506DD948B5C51B0BA246BC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215031Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.968{079FE16A-5529-6116-0907-00000000E701}11046400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215030Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.790{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5529-6116-0907-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215029Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.788{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215028Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.788{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215027Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.787{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215026Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.787{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215025Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.787{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5529-6116-0907-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215024Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.787{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5529-6116-0907-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215023Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.785{079FE16A-5529-6116-0907-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000215022Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:02.810{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64796-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000215021Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:02.810{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64796-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 23542300x8000000000000000215020Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.453{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F9816E7EF8AD26F053C705C73BC0F2,SHA256=40843B0F8E0D7A68CA2777034C394F220A262DC9872B97288315F588765BE597,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215019Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5529-6116-0807-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215018Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215017Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215016Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215015Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215014Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5529-6116-0807-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215013Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5529-6116-0807-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215012Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.124{079FE16A-5529-6116-0807-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161287Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:06.755{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C795C7C48A2C81B71419B9E8E237B9,SHA256=37F067BA5421BFCF2F7B6ECD99BF879C502E3D22F2FC1A07DBA61F361DEE2CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215033Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:06.468{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F436691BD085A0396A7302EC900F2715,SHA256=EEA014C8E0A72F0AD97CD388AF37B0EE01807F7FB2DF8F99F4BDA88C87426532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215032Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:06.137{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB1F11AD4C7B158FFD88217F21BFEC3C,SHA256=5E9B0757BD29DE42AA830C5C149D381717932563D7EDA2F862A8CA8C1B627EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161289Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:07.755{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DC89E04A4BF514D79ED82AA3616D69,SHA256=9A17AD4AFD3D991E6921F394958A2E3ECE93960437B66A4369C50E641DEA3DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215035Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.231{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64797-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215034Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:07.487{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2321087506B5EB936FFA67AB66711BDF,SHA256=9F9B0805162005045949208BE039E25B00F3CD1E34178433BA6C4EC6746FE1D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161288Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:03.829{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52138-false10.0.1.12-8000- 23542300x8000000000000000161290Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:08.771{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAEE4CA5657DCBB00C756380E7CAA1A3,SHA256=C13175DE298CAADBC6A46569C2000F2CD8809CB9280DDB09DCCD77EA503FA755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215036Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:08.521{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C5706BF9226EB7D78C8DC2ECB88C11,SHA256=EAC4FB5D13863B96BBB29DACDB1391CA6C1EF55BB9F8F56A3F0FE299BAC5144C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161291Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:09.771{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03956DA380E66633E2F06F8C948A2FB8,SHA256=EA38549FFB61B8B4435D79CF830CF0D44F8660B900E5826DDCACA99D64AF65C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215037Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:09.535{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E295983095B9E9389DD9BE3650EB82C3,SHA256=D43E9FCDFE8F12FDF5745150F0E70401B8DAF5CDFD6598270758403C23914408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161292Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:10.802{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A40231B412E073380ACB8349401F17,SHA256=E49E520C20B9FF15E28C823496A65FD752063E7981F36A784284A431A0AF0298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215038Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:10.550{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D927DFFCFFB39C9CA3FF76D96F7450,SHA256=0D4D907A450BEC6F61C66BAD126C1B0E5E2C51E9A782DC105B8BF3E70B4FA8C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161294Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:09.735{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52139-false10.0.1.12-8000- 23542300x8000000000000000161293Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:11.802{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C794325FA882207A077D6487F3D397,SHA256=BBF4D8D1717B917C548CE76A3DCB8CAEFE6854BC903BCE232549E9EA593AD696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215039Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:11.565{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA52355094A32ED94C26BC70B237828,SHA256=1277D7F7A96D7E4F4E5361A9C1797BEFE66924D2E782071A66D787433770CDB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161295Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:12.802{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313B2033074BA41ABC5A8F7BD09E2380,SHA256=B51DAA2416DDB73A8CCB59175B5AA0268CDD80A03886497733A46A9A402256A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215041Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:12.583{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E6A8E933AA7945F64B582CAA8EBE1F,SHA256=C68281ECF2F7CA8F11BE4615F64F4BC03990701157667A31D29125921D08B94A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215040Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:10.244{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64798-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161296Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:13.802{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DC204E5B9B704EF54ED4179B4B809A,SHA256=9DDC794560321AD4D608EDA9ED1FF79ABAED2F8A3A34493804667CCE794D0F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215048Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.601{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FB08C459DE73635FDB0C66E172F164,SHA256=CD44BA467E246C175EB9288D4B9134DD1A72C6864B32266DE0E4968612301B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215047Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.386{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2A7463461396EE1815D1DE9995FDD1B2,SHA256=401B234A10E9C1D95E9467A5F665F5B8E2E091F344855B4A1DD6FE5BEED13E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215046Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.386{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=E70B45A44A0A7F49B1CCB7324A022943,SHA256=2611E3523DB8493CDB1F81CD3228A3251E21974FF1A82D166EE870EAAD9052BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215045Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.386{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=86576348277C1BBDF1680E89E63BECBB,SHA256=C8247AF8D3FCFCB2D66BDAEC3BBDED3A431ED0C5B86374E3A3D5FD55918A3FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215044Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.386{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=825AB2B88FA302E2512A6EE7FD0D42FC,SHA256=AB481D7A07AD3B9D0D25B063668DB67306D8CEAF07A96F4D8D6D9D590AADD73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215043Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.385{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=A76C9F86290BB560CCA66EB9A556D801,SHA256=123961946ABCFE04845461C04C127A819A570BD56D4C7A98A110DA5B327975BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215042Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.382{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B724B9AFBBC25326B77C4E81974BB1F5,SHA256=F5B5092F301FCE9D3D43638B302B8E25DE0825FF8890953960E122355E8AC153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161297Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:14.849{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B52959EE18ACD0C2A615487ACD7BFA,SHA256=C88D07ADB12DB69A564B7E4AAA29833FADC912DC23803C4FB0ADE96BC2C42B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215049Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:14.616{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11EA811F278C3CC886BC4E9D86AE935,SHA256=F6C86F119EA239A2D1A8EEF567A8536E265A83B9E2B04A534383CC8E006C639A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161298Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:15.849{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA451D6205ACB90E5F1C91277A49E1D,SHA256=84E1A8539FBAABFC3BCEE348682CC32C4945B974DAC075458EDB067368C715F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215050Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:15.647{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B7052C77F62F2AE9235B2F18DF133C,SHA256=C1FC3BC53D675D5FAD3E2988410211B4F0E2E5AADE970E07A94B0E3988C8F689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161299Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:16.880{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EA8FC18D032BCAC216DBA826E3C54A,SHA256=6D4225F650551AED112069D42B93EFBB0DE3D53FB10687CAB3746268500A550A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215051Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:16.661{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E65188DC889013CCDAB9854B7B5E53,SHA256=D4DE066DF0DF7AC83D251112A762BC3E14BC8377F897130688BB01769871E2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161301Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:17.974{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F52DFCF807ED065909A76B2F8209DC3,SHA256=23403E25E648543E4A23A59CE693658B70DC8E33EC3999F5E4E14F20D7B5CB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215052Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:17.682{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA0FAEFBE65E52B072570626D1534FA,SHA256=6AC76643228AED05491C231B953E04B5E2FD8D9669454A0B0D5630DB3C87AC70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161300Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:14.770{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52140-false10.0.1.12-8000- 354300x8000000000000000215054Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:15.287{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64799-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215053Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:18.697{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C3C5CF4EEEC8EA10C69CF69ED64509,SHA256=98CDFA03E9A18496754F56561B25DDB9DB33F8C2302F6C7C62B6CDBF44009CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215055Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:19.728{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAA9002B7AA84398AD23F23C76F5926,SHA256=D1F36C32B54820F4C5778F575CD5CB6E74019BAF9584712060CBA06824D8205C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161302Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:19.021{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91A09DFA762E2513C3543D55AF57EB5,SHA256=DA6824ECC7887AB79E56B03E91D4CBFEABFC8DC2E7E21D40F6387FFB0E691EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215056Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:20.759{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E1F17DD6D107BD8EA292A3EDC614E6,SHA256=FA5F12C0825AF9DC5E0FF1A12EE4E7F5FD00B91E1C4141DA95FA47E536425348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161303Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:20.084{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E86D23A5F788A3062547B2DFA65640A,SHA256=3CCDB1E35D84AD1A055B80ADBD079040472C8B5D92FF7711DAAAFD57A8D9B758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215057Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:21.778{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFADFE40B7CC983712049131272B1B4A,SHA256=8B4EDF86D630DDBEA83CC857C9F65555986A7784CC8CCEBC3855405BC2370893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161304Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:21.115{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A0751F6AB248406984052B56BD47BE,SHA256=9118FBADC13C43E6245205DABA82E3B0773209B500D62A2BA94BE9592F54B383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215058Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:22.795{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89952042C678F6507466EDDAE6C9F7A,SHA256=1859D2772D15AA7D02AF855A6C74698CB4572F3B033D564EDB632909B6CA0BD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161306Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:19.798{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52141-false10.0.1.12-8000- 23542300x8000000000000000161305Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:22.115{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00E14BFC916661C57EA4F14E778EB6C,SHA256=1DBA622BF0701B3CEF6F4AE4478291320C059C8FA516AEEB7E075834744309E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215060Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:21.220{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64800-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215059Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:23.809{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F8EE18909B674B5736698AD2BA0AEE,SHA256=E663652637C3C885DC640E82E28D3F4C53D498A6F156132C3393DBE4ECCDDE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161307Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:23.115{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E70806D0F3FDACC490DF7F9FD74E69,SHA256=FDCF6C9D4ADBF1D933B172550D8C19D770C5603BF4CDA99F23BCBD025343B7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215061Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:24.824{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38BFDB274FA79D563AF64BEDD1AB7D8,SHA256=B18FA485EB817AF9814A3EDC7BC05E17133006D51383AC1FE4D978368FAB03C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161308Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:24.130{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAECB27B970217D95B7308DB4EFAEB41,SHA256=1EDF91FC2063A92BB1311B5DCBEF626255F11C4035CEF6729271924C006463ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215062Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:25.839{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDFCB25FA4474A900E3C8A31D416B67,SHA256=BBA26B039F0A716AC867D99A90300FDB6AF033F65787BFD21ED3413166EA4A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161309Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:25.130{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA494CA5CF8B65DBAB44A392B001147,SHA256=293745BCC2E7CD42E2EC68130B68683A1FB6C53282725AA9D03565C8C1323166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215063Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:26.854{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152DFC1CC6F4A8343A5E1286F96139A5,SHA256=1E33B906222F0EA7AB565FD2300633122954CDBACC8F489A3128892BD75866BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161310Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:26.162{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AE766FFE85475C4946AC7D34CFA13B,SHA256=65A85CA706E64B1A5731C13D031FCBD44E431273AB13D6A69D32DD4E235A6154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215066Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:27.890{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5B506DB746CE301735F0AC0E08E0F7,SHA256=ADDDC5B102C2B5F50F5D5BC7FD22BBFDE2BDF5909D049E133257C3B1E42BF612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161311Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:27.162{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775D760F1F3449160C8F5C514433863D,SHA256=4177630852F5284CB70A25986195144CB78ABE9FDC0DBD6C251B2CD79638560D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215065Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:27.522{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215064Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:27.522{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215073Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.905{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD06F7343A279837279667288338F2D,SHA256=6837ACC71FD90054EB293A18229197EA6F723DCB0D72829A0AEDCF535AD6E465,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161313Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:25.845{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52142-false10.0.1.12-8000- 23542300x8000000000000000161312Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:28.177{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B836B56FF425F11990B7D3C7DAAB00,SHA256=B04D9320593519BAA777D2363EC67A6A6415606FE726F1F550CBE280D4DF4637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215072Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=4AB053D8ABAEB4C61EBE9D8C0905F16A,SHA256=9A794ACCB3E9E1D2881DEFC2A4B20C3DE3EFAE8B20584476A5F9B904B6CDB330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215071Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=FB35A4D3E2DF2425AD2A4B2CA379E54F,SHA256=44944C7B76E1DC85078C97875E8786FDB86F87F4EB223E5A7D91EE0D0960E1B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215070Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=CB5B8D1E704B2991D58D08CA10435AFF,SHA256=B4C6AB6FAF40A9BA5861CE6FD895D27D04BFC538DB6090BFB543CF1C3C967884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215069Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=29B378B88A65340A109D3F257425E858,SHA256=E05B8D4BD1B4522416B08BE18746A1351D95F3813C8C5061B2A51901BFC831A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215068Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D8CB20734C6D19D5B7C04C0B3B846ED8,SHA256=A037A514777E12A8787C4E952A034995899DB94CDF06346F22403A123F5C868D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215067Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B9552895616D12B3BEAE3E729F47D2FA,SHA256=929F258930F8531CE505BFB4B791B5AD51C371AA6870DED76C2D6DEF58F1C54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215075Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:29.920{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4239D9780FACFD9EBA9AC34B7EF5FD,SHA256=2650F4B531A028907F816B5C8D009F796F19F9B2DD0976BCFD00D841A5FAA501,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215074Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:27.246{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64801-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161314Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:29.193{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2854A32CA353B659E45FDF6C24C282F4,SHA256=A10CD136116D465F62E380F3F0CC11A43EDC98A53A0B963AF45150ABDE4AA4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215076Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:30.934{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF864155ECD5855D0EA8C261E6F75BBC,SHA256=B1B1895E2F3630BE33C932957F2621511D9BF04655CB0D09B21ECDACD2ACDD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161315Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:30.193{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF281CD4F07B27426460DBA826507D4,SHA256=D902EB4D339064627BA68B25F3D53E3A5F8AE9847076B78F4D4AF747F5D65382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215077Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:31.949{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC035F02C3A7E7B60BE1B35D0518A04,SHA256=17E8814797F478BECAC3151961DF975704102DF8CA5F650D62BB784F00493477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161316Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:31.209{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAEB05C26ACDB578C6DCDE21B25CD99,SHA256=4C303A6177B7BDEE9F2A1700B0C025241C9AA744D4544D05A91A0EEEBFAF3428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215078Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:32.966{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EAD0E45070EFF0526BA13937A67F80,SHA256=679B5BE17BC16B606807D18E8D520F7989DE69001F420ECD9D81C33504D29708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161317Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:32.255{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B465A972FE16791E49E9CF177AAA1E,SHA256=40A9565B7AC63424410E660CB20088B17FD0B8F2B42864BFB7DD2040EDBEBD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215079Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:33.984{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B555D946596E0496CE1DD290DFF25AA,SHA256=2F4E82D68A6EBA04B63870AA4A47755E0963986DFC5F840C5995BC51A9A3FFD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161319Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:30.908{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52143-false10.0.1.12-8000- 23542300x8000000000000000161318Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:33.255{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE48F4C68FB70DABD47822A01E4E71F,SHA256=F740E702939712A63E57336B0979EC0EB85ACF98B1D7EFA8059692C3AFB534D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161320Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:34.255{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DA4CA1F832E09777581C6F733A8E5C,SHA256=30D67D72A62ED58C4C623F06159822EA61CF28B9F08D1F0D26E8D953AB873F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215080Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:34.999{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EB3A5CCB891450FC5D4D5C34E40ACB,SHA256=BD60C79DBD1FC6BA082C686C87D8636582B2229B66378DC6622E4E22D7D00A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161322Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:35.302{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=044178DC3CCD2F5935637BDE94FC6723,SHA256=E47235052D2691313571F5FAB38C837ADB0633D1CE87FD151CA249F8E109C170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161321Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:35.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8EBC815B697BAA972650258661589A,SHA256=1039CC000FA77E56820BD0A3635C3DD92EED6A50D91C4CCAB2DB35FA4762BA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161323Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:36.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2335241D028261DA22CC4E02102D1AB,SHA256=12D61F9173CB7AEDA7C750BCCE40EBAA75F538FCC5DA63E6BD45D4EE786E0BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215083Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:36.882{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6AD76AA11415D693F92A82CA88717AAC,SHA256=CEDD68B2AFACE491BF986D4924873F8F2C3CE7397A83371EAFDD89A2ED00C216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215082Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:33.272{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64802-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215081Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:36.030{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0525C745A47476991A45755FF108338A,SHA256=B006E95E41A445E07D05274FCCF35330111527E55394CDC47D4FD81F832E96C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161324Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:37.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48B0DB8BA1F6AE8311D477910E3CBEA,SHA256=C2748C5943440DC320A958C32B37151FB9E0A2E71A8017FE220E69DE7C9C5A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215085Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:37.629{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\permissions.sqlite-journalMD5=8CF7A7DA6769D23C478264D99641227F,SHA256=574BEFD8A720F505E798314999F886132D073E1B697DA8AAB7BE3748F28D185E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215084Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:37.045{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9FD05458B365384EEFB1248F5B5C82,SHA256=608AA1846C0EE5FD7276A69A8BB8A983D24C40459B4DC5E9D8E217B4C1773101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161325Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:38.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58D07091FBC0CA67CDA7F439AE74E4A,SHA256=C16FE11D7768E6B61FEB754C13F1CE4E00C8C6F35F357D0368B4E8F3006D580E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215087Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:38.782{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215086Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:38.063{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C7B1BE4B73CF821B495FE93285E6A9,SHA256=4A8E3DE462E564E7CBB867CBC17571127AE449B7520F4380916505DB6DC7ED60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161327Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:36.751{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52144-false10.0.1.12-8000- 23542300x8000000000000000161326Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:39.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBFFBE0A9E8C799430B35C274236668,SHA256=ADED77FA18CE838835439AA0E02512C758CE61C32265240FA53613C72D43BB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215088Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:39.082{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8A83C7F51242D857D1A2FEE044E720,SHA256=360062B7A82A23D559C119C12DE0409E29EC7822B4C8AAB0E40B01BD8F96AE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161328Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:40.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E16A514A5A584AF21FD43F7D3A6DA58,SHA256=42799ECA4999E86A9F568EC40CA6D82806C0225D06D363A6020E1F6D228C5628,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215090Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:37.886{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64803-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000215089Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:40.096{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BD0AFAE5688C825205DA93BCBEAFE0,SHA256=9155A3DB2781A5ADFD6F00A6DB77E1EC8224B995B6D386E981069A5B72BCDFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161329Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:41.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F735E00FD8071BC4B9D9FA86744AF116,SHA256=36133BBCECFC6385CB19C55173C91C1B983333719D578D53FEE13767A5E9E6DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215092Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:38.391{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64804-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215091Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:41.100{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6431390855F9E4012291DB6E7EBA8DEA,SHA256=02B66604C648EEE09D8C3F78531C41DC9426A722DA848D45A9B65055BCEEB24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161330Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:42.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDA0F17D073D1F6E350885ED9DC2361,SHA256=81D29418CCB1B00550EBF7C141718C992AC86A8CD7173C9A047775CDD7927F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215093Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:42.115{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AF7C33195FF802604FF0BF4D54EF7D,SHA256=EA966001CE96D2DC286722F8B0AEAD30CAEBC340B1DC1C9C58EC0DF59083289B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161331Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:43.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE618BB87E222B138BF5F20DC4B73A3F,SHA256=7AEA148B1E0B787004D4AB9700BCD1864C30D77DE21A0E09366282FD9FB863FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215094Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:43.146{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0802B844581DC8DF0D4B7B2A1F7B226,SHA256=E94A9F1BAA6CD07BF10B5344262D192D2C62E4E5708535CFD239A24F3C77AB8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161333Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:41.877{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52145-false10.0.1.12-8000- 23542300x8000000000000000161332Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:44.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597600463CFE523ECFB6032D94305532,SHA256=A5548B972016FA37E27D1A9D38E278403B4B77C54EC75B3A8CE626D3EE949DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215095Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:44.163{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4B31BD711554361EDB6BA97613DD4F,SHA256=CF9A537DA5FC440FD015B89560BF45A626C5D5A9A55E09853986D3753BFCA60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215096Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:45.181{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5ED509DE7F200C9B3D4733CC9A954F,SHA256=AF71A632D2715533581FA136E5B4AAAB4A7F1B7F08126CA4A37ADE56071A85E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161347Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5551-6116-FF05-00000000E801}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161346Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161345Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161344Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161343Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161342Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161341Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161340Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161339Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161338Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161337Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5551-6116-FF05-00000000E801}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161336Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5551-6116-FF05-00000000E801}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161335Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.647{C6197713-5551-6116-FF05-00000000E801}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161334Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B67ACF1E96494C95D0CC4C393EF76A,SHA256=A9FC37CF2BA3A963FD60EB711E8AC050020D31A83D8CB1A9624CC426441E7854,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161376Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5552-6116-0106-00000000E801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161375Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161374Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161373Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161372Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161371Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161370Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161369Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161368Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161367Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161366Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5552-6116-0106-00000000E801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161365Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5552-6116-0106-00000000E801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161364Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.991{C6197713-5552-6116-0106-00000000E801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161363Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.834{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED2C0E63BCDFB57E7E8880044C3D60B5,SHA256=7DF96B64A994EFEEC3259AA26668A6D00F1B8D6CA0B3EE3343CE65F5C87E7E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161362Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.834{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA248007A3B5F3D0DADC5072EE34EBAA,SHA256=FA6C4BBBCF1F0A935A006F309F2FC46874E572A6CC14A526246FC4D58EEB3809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161361Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5552-6116-0006-00000000E801}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161360Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161359Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161358Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161357Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161356Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161355Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161354Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161353Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161352Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161351Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5552-6116-0006-00000000E801}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161350Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5552-6116-0006-00000000E801}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161349Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.319{C6197713-5552-6116-0006-00000000E801}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161348Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.302{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706D03692F1F81AE0ADAEF06482AF33E,SHA256=E072A3A1E9A8B0DFB6F70FB1DA9E86EBDA9E3DCE05D518D18B3169D9A318EBD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215098Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:44.269{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64805-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215097Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:46.196{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8194A61ADB08184D3228AD55E76114BB,SHA256=0F5C6DE9038669111359DD3180B00A96E6441E3F850FAFD024BFB0E6CBDE9785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161378Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:47.490{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A44281DA2E839EED64B6710EC9FF49,SHA256=088FAB1DCFD138773CFAEBF6A18E49327E2470B767E0555FC2054FA5AC8F2D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215099Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:47.226{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A533DF95755179510EAA21F0898800,SHA256=4252DBB0E39C841B5AE4A721439B5CF67EFCE21B0869B899E907C8F36CB0E3C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161377Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:47.209{C6197713-5552-6116-0106-00000000E801}34921060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161408Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5554-6116-0306-00000000E801}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161407Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161406Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161405Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161404Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161403Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161402Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161401Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161400Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161399Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161398Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5554-6116-0306-00000000E801}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161397Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5554-6116-0306-00000000E801}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161396Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.944{C6197713-5554-6116-0306-00000000E801}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161395Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.490{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B74F1E8B6ED196DF013F5C0E2E0E34,SHA256=00C98A24F1E0966B962A37D3F71DCFFBDEA6D10AE83B9CB34FDBED370B50F5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215100Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:48.241{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7425CC1676ABAE17DF4691AB61B550A,SHA256=4742BDE6F4E9C29E894B6C3EF6E661EB8A090C6B90FB8A68BA38E37D7B9FA1E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161394Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.427{C6197713-5554-6116-0206-00000000E801}39802660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161393Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.334{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161392Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5554-6116-0206-00000000E801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161391Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5554-6116-0206-00000000E801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161390Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161389Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161388Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161387Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161386Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161385Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161384Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161383Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161382Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161381Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5554-6116-0206-00000000E801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161380Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.272{C6197713-5554-6116-0206-00000000E801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161379Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.224{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED2C0E63BCDFB57E7E8880044C3D60B5,SHA256=7DF96B64A994EFEEC3259AA26668A6D00F1B8D6CA0B3EE3343CE65F5C87E7E3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161427Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.849{C6197713-5555-6116-0406-00000000E801}12402940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161426Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5555-6116-0406-00000000E801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161425Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161424Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161423Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161422Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161421Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161420Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161419Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161418Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161417Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161416Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5555-6116-0406-00000000E801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161415Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5555-6116-0406-00000000E801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161414Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.616{C6197713-5555-6116-0406-00000000E801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161413Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:47.986{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52147-false10.0.1.12-8089- 354300x8000000000000000161412Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:47.830{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52146-false10.0.1.12-8000- 23542300x8000000000000000161411Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.505{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83866EEAE318632DD7FB7E83D1545880,SHA256=DCB3600964A756D05B2AB921407D84E263B8850DFEEE33E86CA2000E43175C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215101Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:49.258{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C264F8E14E974C95552792F02A172D5,SHA256=C7FACB3DE61B785355415D877EA27FFF3D660951835062DB37A734982C7F68FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161410Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.302{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C301A3A4DF0F051BF3592B4B123B97,SHA256=E70F8ADE5207A95F1F9D63412FD5729499830BE19833018E1A546D2AF481DFB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161409Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.115{C6197713-5554-6116-0306-00000000E801}1872824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161442Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.912{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95314EEAC62E2D88F6D8288BCEB51FD9,SHA256=3485943FCAA20400E3647341D22BBC035CE203EAC0048A9BF843F56FB4C9409E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161441Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.912{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91B1E7D29A5CD0657706910DEB2BCD8D,SHA256=734229CA72BC21F8CC8ABF1A1D42BDE9A5785EA564BC039192E4ACB280D634E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215102Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:50.292{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA1F26A34885B2EBDE243E69579AEF6,SHA256=7E3253368713BA11E2B82A39AE7226D9EE1DA2D63DEC519A18D117A6F6E6CFE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161440Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5556-6116-0506-00000000E801}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161439Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161438Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161437Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161436Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161435Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161434Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161433Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161432Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161431Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161430Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5556-6116-0506-00000000E801}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161429Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5556-6116-0506-00000000E801}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161428Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.116{C6197713-5556-6116-0506-00000000E801}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215103Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:51.323{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C799E8B0C821EE76E167AC212FDAC8C,SHA256=178BB825494CDC6C150C7B95B7B6668396CED80070DDCB3D74E4AD5333A176F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215105Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:50.217{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64806-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215104Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:52.356{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F025CDF0E7D7F9A7D793D10E47E8CE,SHA256=64E8443BEEB6287BF2D0F981813AC01C71831664C141BAF7F01522635F27E269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161443Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:52.021{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05205FDB79F15714583AAA442250CEE9,SHA256=47CBE67E4E63CD29AA295801DF1B4F29CA53EBA115AFAD01C8D24CF106869116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215106Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:53.375{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CF2E7CE344D6EC3B6C6CADB68C8B8D,SHA256=2F56BDFA9BFC2A3E4D68ED17BD77F01DC453693DF54EF42B4C188596C987AE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161444Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:53.038{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527ED99353A72799A58A761B615130B9,SHA256=11AFA6C28B9413C3EDBFC2AFE660EC2BF826A2B2A91BB1228CBF3457F8C5600E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215107Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:54.406{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40633C2B47EA76103F675ECB03D743E,SHA256=2DA7C82D211382922BD927DAC498DE036CECF70F7D659D1A9F861E38C72231E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161446Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:52.878{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52148-false10.0.1.12-8000- 23542300x8000000000000000161445Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:54.040{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50307C317E01BD2AF4EA9D950378E01,SHA256=F3AB1DA875A4900EE15D28EED32A6616B220069D7B5D2E887D49D0FEF05CDDA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215108Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:55.421{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EE86E41583C00B3D1392E880AE1DE3,SHA256=8839EED4EE1D6E4074C8D21F7A82660D7513B4AB0D922577A64A691A3E61D727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161447Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:55.046{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77A9B35CA1CF4F4D2FA2BD71E92B135,SHA256=B4459EE8657EB5707D702A4E5BC85EAD9CD2CB4847895F638CAAA29E490E27D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215109Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:56.435{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74FC7A4C676AF42EEEAD5077D6F6980,SHA256=CFB80305A47522786795B49D8F7281FF4AAC6A003DDF58F86EE105D751533C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161448Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:56.062{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034114B6B85B1BC8F31C211884211481,SHA256=2192913DED8BCD89122CE31FC0DA9CE35B63EDFE461A92FB857DCB080DD3D27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215110Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:57.438{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF70B5A18C47D437CEC17CFCD536854,SHA256=D6090F174095FEFA5DDB6F7C7B57B98D883256B04F1B191CD3627B7A6FA45978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161449Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:57.109{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBDE15BB25D90BDE7F601219CB2C0F1,SHA256=22794E3C515B05C8B19267017942A5AF00DBE528CC0D88CC2EDF34DC540B8D17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215112Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:56.232{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64807-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215111Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:58.455{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C88119DAFA92FDD62216B98AE2912F7,SHA256=EAF452607C6EE8278C2839A1CCE10406B114571C5E96DC0D1F1F5D5CE2971EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161450Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:58.124{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7DD8D3E928EC5A7AF97FDDA0D92BC7,SHA256=FEA5591D4BF30A6779F89DF427C11B57019C0B3074A7969E8EBB096E195C88F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215121Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-555F-6116-0A07-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215120Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215119Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215118Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215117Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215116Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-555F-6116-0A07-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215115Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-555F-6116-0A07-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215114Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.737{079FE16A-555F-6116-0A07-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215113Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1BB5AF807DEE52DF4679D2CBF1195B,SHA256=49A80A7E190D296E2B15D159A84509AD969154B50A4E683EC3A9B9E7E9A11143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161451Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:59.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C0D3DA746B041078B5F14C04EF8603,SHA256=171530344A2E994D1D4196DAF3DFDFB1B71F12CC48FF88D4944AF8397816D588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215132Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.756{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D890C4044C8E95204BBCD2610860FA70,SHA256=AA4BDC7B23084A9A29E138246F2DFB75F586B5889004F80D63A3CB6E12194CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215131Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.755{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B1B50B1578BBC56C2889DA7888CDD8C,SHA256=F2CE19B54E0BFA18BFD8533E550F3DD4F148D92C26F3D8D186C770A1D1825346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215130Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.488{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187D8DC224451F5AA87D025A9EFD2E15,SHA256=F8F27C17B2FAF50EB2A0D4C75756B46DEC795D3228123E5A64439E37F63C0E0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161453Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:58.917{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52149-false10.0.1.12-8000- 23542300x8000000000000000161452Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:00.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188AC70FB18E9DC3F49A2988B6D81FAB,SHA256=1A7A431706BAC35B3E0AC9A815C61351B349E33623E8954C7AC34699DDB114FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215129Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5560-6116-0B07-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215128Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215127Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215126Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215125Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215124Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5560-6116-0B07-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215123Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5560-6116-0B07-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215122Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.405{079FE16A-5560-6116-0B07-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215142Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.501{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3062C6014FB8C3004B6D3058039DBED9,SHA256=9483DE47DD34E37537D1952BB627052D9CE81EF3627A4541B5874E1201FEE1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161454Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:01.218{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0611D9BC66F467140BD2EAA8520CAB90,SHA256=58B744668E1C9FF187B21FEA7FFCE984FDE02C8F10A6B8216FF2F3179BA55A4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215141Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.369{079FE16A-5561-6116-0C07-00000000E701}61803924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215140Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5561-6116-0C07-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215139Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215138Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215137Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215136Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215135Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5561-6116-0C07-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215134Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5561-6116-0C07-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215133Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.073{079FE16A-5561-6116-0C07-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215144Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:02.532{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E21DC86EB226FCC2C9405643EFD2C7,SHA256=B14FF6D3165303A13A0BFCFFB4E6A6B647150C38DE6DAC296CFD623B1B3BBAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161455Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:02.218{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CF7F1848D6E847BE81DCCC33453122,SHA256=24BFEB1DB04AAEDA0323C5990FE61CE876A4A5905FEE179D394355D0F6EFD7D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215143Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:02.084{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D890C4044C8E95204BBCD2610860FA70,SHA256=AA4BDC7B23084A9A29E138246F2DFB75F586B5889004F80D63A3CB6E12194CEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215153Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.785{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5563-6116-0D07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215152Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.783{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215151Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.783{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215150Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.782{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215149Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.782{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215148Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.782{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5563-6116-0D07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215147Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.782{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5563-6116-0D07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215146Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.780{079FE16A-5563-6116-0D07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215145Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.547{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD7116F066C00E84C9C37FECC005AE8,SHA256=6BC5FE4C63D043D3841B929124BAEE68A6BA00CAECF86A075196573E12FEEDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161456Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:03.249{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E5ED187E8B07B9710220B5D2067E2A,SHA256=ABBED57DD3A3DF83ADCC3304F60865FFEEF1012678EDAAE8BB6DF10843793FE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215166Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.764{079FE16A-5564-6116-0E07-00000000E701}68203472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215165Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.716{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=719AB7B10DF6A88F4A73180A1819D301,SHA256=36E38C98790D5A8A5FE0245A09B30F36174D2AE68A014448ABE94BCA039F8B33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215164Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:02.172{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64808-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215163Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.584{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E310F9460BC7A91690389C072BCA51F,SHA256=CDCAA52720D92DD8DE386296C8AB4B17F9E52366BB8181FA4CD547C66A270A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161457Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:04.265{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15360FFE857E56D5548352D2B7B7862,SHA256=065664BA7448A8ED5FA6BD95EDA70D96E2F03B9FD4AEBC2EBC6D7E9ECC03B1E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215162Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5564-6116-0E07-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215161Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215160Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215159Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215158Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215157Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5564-6116-0E07-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215156Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5564-6116-0E07-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215155Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.464{079FE16A-5564-6116-0E07-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215154Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.101{079FE16A-5563-6116-0D07-00000000E701}45726528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215186Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5565-6116-1007-00000000E701}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215185Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215184Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215183Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215182Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215181Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5565-6116-1007-00000000E701}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215180Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5565-6116-1007-00000000E701}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215179Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.801{079FE16A-5565-6116-1007-00000000E701}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000215178Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:02.826{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64809-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000215177Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:02.826{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64809-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 23542300x8000000000000000215176Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.615{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A455C0A0366B11173AB4500B5A00C8,SHA256=FE783EBD0448613C27F47BA0FCE6712472840A9B193D084A367292DE96D65BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161458Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:05.280{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2F8EECEBD19A9AD9F0832804C74346,SHA256=2F831755EE36A607FA2BB74425331C93CA00720961753D7E9CE3F881D64FA57B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215175Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.384{079FE16A-5565-6116-0F07-00000000E701}50082296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215174Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5565-6116-0F07-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215173Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215172Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215171Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5565-6116-0F07-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215170Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215169Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215168Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5565-6116-0F07-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215167Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.133{079FE16A-5565-6116-0F07-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215188Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:06.616{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDCFC9EFA0BA57E1B04E5826C1AC4E2,SHA256=DB76D1E3EF888B579D73E886DDE23A974CC26AEFAD0FC4953FF5B93958EABAD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161459Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:06.280{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A942002EFDED24CDD14E30B41F7F0E,SHA256=4D8F42453C51FA53FDCE3BC2B3663E90AC5F4E4621FA48BF176111A1866B1677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215187Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:06.147{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F85C9BB10338738354DB388C702B6E45,SHA256=6DB93CD249CE1A2D58155A2B05D1F3C8B89A8060F88E6F9EC3936AD771622269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215189Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:07.631{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C977F0821690CFB4270019706DC8143,SHA256=87465A3A1AC84ED3C909DE0B55A1B35F6D275F4DA9F534D48B8002296C2DF7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161461Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:07.281{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47073F361E42139507ED7B1E062C7403,SHA256=C01275C26A60A649367E56A91638BD4B4BB8A10B7730EC5BDC025C11DDCA095F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161460Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:04.886{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52150-false10.0.1.12-8000- 23542300x8000000000000000215193Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:08.646{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918236B5D91879DF53BBA8978FDD3189,SHA256=FFA343E21832BBB49A3AE8D417A9A0F4529E1F674828C2C1E5D7AF503EDEC007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161462Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:08.312{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34896C4F14AE287E72378E26F65D4617,SHA256=0BD4F61ACF5101D31A549E10B0056713CE2CBBDB5461C926CE5C933A41B57B77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215192Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:08.115{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000215191Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:08.115{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215190Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:08.115{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb6ccb1.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215197Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:07.306{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64810-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215196Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:09.681{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF10142D6E16C8539464791D76C38235,SHA256=B35885A35462AD5877EA8EAFF6E179104101B4C66A8B49BA5454E890F890E8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161463Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:09.312{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5A8D640AD72CF56CA3AE05A037F4BD,SHA256=9F9B06D51871991E12AA4A39247F3D172377C9C026BD7B73830922B3BC1223D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215195Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:09.045{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215194Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:09.045{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215198Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:10.699{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C34A9C256BD9D3CEF1298208453C92,SHA256=64E168698EF2EC9AC6E9A1D117318DDDA2B7A18DCE3FC064B581D0435F94DDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161464Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:10.312{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43CF16229FCCF26C2D00DCD608351BF,SHA256=37DC0D1FAD6660E138120F3BC7B2FEC96FFE3B581C161239639796756B1DAF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215199Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:11.729{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDE40FFF0BFF02D241630EACC66C39E,SHA256=E7A0818B349624E5B3EDF74D10284C37A8EDF948666DF33C0B18227F3AA66444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161465Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:11.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3485A89475E73E0B6AFEF9ECE57616,SHA256=55B3459145EF3BFDD09D0D8FD8DBDD0B7D31AE9993414719F2C592C922974091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215202Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:12.744{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5311A03AA2DBE23277F4CE98092F364C,SHA256=C7D4463E9E05384AE91F517A6EB6DEDB86882B6371018D83629FEF8804A3AA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161466Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:12.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC34A3B8C74175FA9C10B1387C9AEBB0,SHA256=819286E0C01E41C148A1211DAE4A5BC5B4F5A6D82BD10941EB119A0FDBAFC834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215201Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:12.460{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215200Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:12.460{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=C3226C075E608937FF0D6D3609F2140E,SHA256=D365C8CC79BBC2BC801B6C575720DE9A5542E65246EEFEF66F4862B5DB795C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215203Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:13.778{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C45C4A76C5BD7F8061EBA0126C33AF,SHA256=639CA5596AA114AEDCEA2D3CDC2E05DE87CE5B2275526B972E3D9F6A30881804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161468Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:13.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD2B09236F5F45A87DC42039F75321E,SHA256=4A374D5BE6A2189BCAF22CE16E389203AF26C110208504FFCD9C8850EF97A879,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161467Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:10.761{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52151-false10.0.1.12-8000- 23542300x8000000000000000215204Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:14.829{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A85EA48489A8A8838372F85FE7A98A,SHA256=BAE10DAF0C98E8A37F8C5430AF8CBD8020B1AD21FCA6E5DEB2D027167BB1EEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161469Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:14.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588B88F07B6D324E765A9A64CC4E8A2A,SHA256=DEC7DCF7FE5B09578A94B68F815DEC9173E248310AC0D14A3D45A797A636C906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215205Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:15.829{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE76F050C38841866717B9927A94535,SHA256=2B49AF36E0B0AE732E5E1E7A8052AD3626CC521FB41C9919678509C91FD3543D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161470Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:15.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE5D6324C4C5DE6A397BBB67E111C91,SHA256=9CF0EDFC9B1DD3E08CCC327087E8AA5A068A11F44CC348660E2851EB5E90CB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215207Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:16.859{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE82290183413FC8EEBB3931C3000AE,SHA256=91029045BEA68D53EBC72DBD7AD7DB06E6BD99403F02F402E8050888FC457D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161471Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:16.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E1499DE4A1977A5A977A8712B6000E,SHA256=759AD38471B2E8010BD072C47EDEBC8F92D94B8EA624CF78849C4FEF6EED109A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215206Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:13.338{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215208Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:17.879{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A410E107CCB9A218A46787D1DEEF8F4C,SHA256=448A06CFD321E5A25905162104F00EAEC88D88786FB8C8E715BA76AEDA5E7DCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161473Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:15.777{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52152-false10.0.1.12-8000- 23542300x8000000000000000161472Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:17.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB132D180CC235CB2210C584670E5692,SHA256=62A5A7A4A36F6866363B35ED9A802950C6EF85F53F45DA3E871D9ECE38F54198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215209Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:18.895{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92109CFC7453F8F41261E7A3A1CCC6E,SHA256=C886030DA3F243ED9A5EB4E51AD386212858304FEAF98BE328F7138F74BD7D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161474Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:18.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BEEB79DCD4B0BACBC5B59E67B6CAFA,SHA256=B3CEE66F12071AFB83AEDE7907C7A5815E5A218DEDAD03AFC5CAB32B03ED8E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215210Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:19.898{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8BCDBAFC1B8A86814F8C38D16589F6,SHA256=930F034AC93814A4C372B36D4CC6E8284209F48A7EB3B983AC9ABCB5B19AB859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161475Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:19.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20DEB6B049C513A9789C09974205F6D,SHA256=C3DB781D850BB491833F36B5999E2B0C85B09D8D4F3C5F7330B4043817F0BAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215211Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:20.929{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7993266267AA681DCAE5532F35686BC,SHA256=4C6DF7D92933AAF875A502B7BFC5E2A361788DA2D6E11D1864D678B54FD12110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161476Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:20.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2EABAA7DD471AED0C25114DA5321696,SHA256=C5B640F8AC256AFD894DF6615F6D557F637200B4F4B0ABB9901A6FE61A7883B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215212Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:21.944{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B5DC4ABF034AC9ED557A4A014066F8,SHA256=A7A1A91878B89FAD462841CE45796B8DA3C734A9BCD4F8E8536BD8FF5404FF79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161477Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:21.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFD9AB60C40ED8B6A564251304C992C,SHA256=7FDBCCF0D4A6354069F54C866786EA8E14C55921E6D6968A4CF32C2D902F025B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215214Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:22.978{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C5E44AA3B2CE4FCDD8490415D7AB64,SHA256=4C415B395F0CB9ABD81D54A5C24FB75B14BA921EB5C8FDBF6A5D3507538C6795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161478Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:22.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00516FD70629A1F59AFBAD5A6326CDC6,SHA256=85082933EC718DA89AB8D7A9DC071C79B8913A316E9EBBCC96FAFAC035557A2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215213Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:19.223{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161479Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:23.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B451D9B23E8849101426B6E650379F81,SHA256=D3842BE8DAF1F4C236ED9DB7E2E6B956F86D7056549E680838FF220C277DA78D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161481Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:21.777{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52153-false10.0.1.12-8000- 23542300x8000000000000000161480Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:24.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28A12BDD4B66839821ED5AA46D7ADC8,SHA256=F00E6017BC7275B21A717413D5424954EB7AA60FA212EB75848660DD6931E574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215215Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:24.012{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35561034700F79DB1B2822C025CCE68B,SHA256=9777E2887207E7C2F0C93C0035D856CFB38C74F421B46CF3E7C6E794C4CDC125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161482Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:25.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2539E423396DE5E0C037DAAB5BD0496,SHA256=3DE11BE793D955AD955CC462C783BDE637992E2B9079FA5BD14A5CDAF5058ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215216Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:25.026{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6528E1DA804B70B8F1B8AFD2F26348B0,SHA256=4ED81B7BC03CA6084DCE64E61CC0CD8542BF2BB4A65844456CEBFEED1EEECC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161483Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:26.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9B09A87542FB412932D802B6D4D7E6,SHA256=07C67135A55EF0253B4C91286B618547A8B829CCACC417EC8276068E26E4C681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215217Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:26.041{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C137FFFFA2398A6C34FF26B9297903,SHA256=B0A7381BE438E9159DD16D7FEEFA6BC3BC09E6A61242A591400E1770029214F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161484Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:27.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC3922D85DBCA09CD188B8FF51860BF,SHA256=575EA8C1B0335DEF4B32A71ECF33184DB30B3C00FBA0FC4A82E30C8DF7EF14E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215218Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:27.056{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADC095EECF02F083AD5501F6AD2F14D,SHA256=65509AAB67E083E72C23DE8160C7050EAC3CCAE7EB25B2A7545679F814BAAECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161486Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:26.809{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52154-false10.0.1.12-8000- 23542300x8000000000000000161485Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:28.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC26C7D522DEEA3677848375DE1780BA,SHA256=B7C40563995BD872A944D2187CF46EFD54C0A2C7855076F985F69F36E8D53B5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215220Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:25.251{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215219Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:28.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C9CACB86C10F4FD8E46A7176510E58,SHA256=715B1EB3C8477868DF80E78C3CE8C7B9AAB1B01F59FEEC444293E295851D6047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161487Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:29.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D200997277EA1B08C6D51EF13812F62,SHA256=0C62E48C61B76C8C66588FD7262E4D16585E79F7F6B5E6A3946D3FF2D0DDA22B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215222Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:29.292{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215221Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:29.092{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438BFAC055D7B2E2985CC0F1C6443C4F,SHA256=ED2231737AD4987CD0DA1F52D016F9DD3855F8876DF26F027540FDA040E1336D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161488Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:30.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033BA98D2C35FC3B3D7452248FE047E7,SHA256=D8A7A92FBAB6845CE88626C81A095E0315F407449B4EA4681F097FB12B4CCCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215223Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:30.123{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49FFD2369E87CA8085F83EFEDA29BED,SHA256=EAEE5A186D33563A0C2D236853B418A8987C21E6B70B91DBD54901A2B1769F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161489Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:31.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120B5F865E9EC53E692F1F39B119A156,SHA256=4EFED22ABA779850DC765F028CECD1689D568CAE2F297EBF4A5314814836CB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215224Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.123{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BD12E39BC26E514EA4CA9CD97BDB37,SHA256=0CEE63B2284788360BFF7D3A06C2A105496E2966096EA0D4208A800903CAB16C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161505Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161504Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161503Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161502Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161501Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161500Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161499Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763A40CF6FF5999699C4E176671FAC1E,SHA256=A739205FC584C985283D2D651A3E58161DFC8A504E9CA2604AE0B4666A57E870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215225Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:32.125{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E3D2EB94735D3F5F2506EF0F0B4A7A,SHA256=19894D164CBCD1C4EC6905A0AB55B67E983BE56AF1E26649D84F57C53793C63D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161498Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161497Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161496Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161495Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161494Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161493Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161492Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161491Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161490Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000161515Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.294{C6197713-26A1-6116-1600-00000000E801}1208C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52157-false10.0.1.14-389ldap 354300x8000000000000000161514Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.092{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52156-false10.0.1.14-49666- 354300x8000000000000000161513Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.091{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52155-false10.0.1.14-135epmap 23542300x8000000000000000161512Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.640{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C99CC2DD6F59E8C5F1494B3DCAFADE8,SHA256=D4D5F9BA1BBDCE703C80FE40F3F959EB81A66C27B5BA2D1122E2411BC8AEF7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161511Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.640{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4234938CE5C34463E1CBA3974C573DDE,SHA256=ACFFA63C5C28F7D19A5682F184A5D2F6F02B8EE8497A2553D75E99A30BBA712A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161510Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80707779AC62E98534CDBAD0BCB6163D,SHA256=1FA599D572345F68D6F9C0AF070276CF463E91EFFF8DB4D48EBEE7888C763E59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215230Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:33.608{079FE16A-26A0-6116-0B00-00000000E701}6284932C:\Windows\system32\lsass.exe{079FE16A-269C-6116-0100-00000000E701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000215229Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:33.455{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B4E7E779636706D0316647F4E2D79F9,SHA256=90B828D41A001BDD4ADE50A8008C169F005C68263C191BC9D6689F9EC2E42E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215228Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:33.455{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F6F4A19C28C8935F15307E830BCE08,SHA256=1D0B8DDB22012FCD8F6213B263038B74E6F2B6C63C7A3B68805D0C3F864E4575,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215227Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.297{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64814-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215226Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:33.140{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A4D86079636D538E818FC78965E0DF,SHA256=74D1575EF0FD99F545218487A144CD0EA836239771C3EEA962D387BB8B6EC06A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161509Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.077{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161508Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.062{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161507Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.062{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161506Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.062{C6197713-26A0-6116-0B00-00000000E801}6281420C:\Windows\system32\lsass.exe{C6197713-269E-6116-0100-00000000E801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000161519Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.793{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52160-false10.0.1.12-8000- 354300x8000000000000000161518Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.736{C6197713-269E-6116-0100-00000000E801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52159-false10.0.1.14-445microsoft-ds 354300x8000000000000000161517Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.418{C6197713-26A1-6116-1600-00000000E801}1208C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52158-false10.0.1.14-389ldap 23542300x8000000000000000161516Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:34.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0B8C159C794A188FF105AA8E778815,SHA256=08717F89320F81DAF5508CBB0C02C294959B351FC22D29A90188AAD829E34D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215237Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:34.624{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B4E7E779636706D0316647F4E2D79F9,SHA256=90B828D41A001BDD4ADE50A8008C169F005C68263C191BC9D6689F9EC2E42E78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215236Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.752{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local389-false10.0.1.15WIN-HOST-86757452- 354300x8000000000000000215235Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.743{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752157-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000215234Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.540{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752156-false10.0.1.14win-dc-414.attackrange.local49666- 354300x8000000000000000215233Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.539{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-86752155-false10.0.1.14win-dc-414.attackrange.local135epmap 354300x8000000000000000215232Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.433{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local389-false10.0.1.15WIN-HOST-86757451- 23542300x8000000000000000215231Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:34.140{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9882CC5C0D7EFF80CDFEF6A5008E3A7,SHA256=599BAA33D1EE1A7E7ED0F86682DCB12BAD3F390B6904DBC03719597232D94614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161521Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:35.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B891DF190772254BD9713AD712900C6,SHA256=B367A9E2EF1B62B0C81973C9BC9A517713D224956DA0D2A132BBE61B2E2423E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215244Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:35.576{079FE16A-26A2-6116-1600-00000000E701}13006648C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215243Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:35.576{079FE16A-26A2-6116-1600-00000000E701}13006648C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000215242Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:32.735{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64815-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000215241Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:32.735{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64815-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000215240Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:32.184{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752159-false10.0.1.14win-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000215239Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.867{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752158-false10.0.1.14win-dc-414.attackrange.local389ldap 23542300x8000000000000000215238Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:35.154{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E83C600E39DED9E4B71F516BA970459,SHA256=725507A8AD6CDEAE32F98FF6E00283DB47E28967CC796564A024D9138F0A6599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161520Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:35.312{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C83B04388DB37B99A5D8184E10430153,SHA256=0A505AF4CBF56AAD8D3B9B10284BEC85B676C4061F38D6246A2909A41B5E18AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161532Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:36.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760B3D9B003879C2363E3CB8984983FD,SHA256=6A78F720FE9670752907FE5AF6E21B7FD1E940D103C6234BF7430B4A0F10D7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215246Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:36.891{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F4B41D965F6D72E6E3EF9E7DC7712394,SHA256=92BBDB50BE2930901B4986F9BBB59DEEC5571A03BB44E406E4330339F0627F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215245Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:36.175{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E181D7123107E6924DF8A3249EE352B,SHA256=C67D7B2E70E5D61B5FB6A4C51AB37456F98CF82FC50CA0F7DA66780BC69B2518,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000161531Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000161530Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b73492) 13241300x8000000000000000161529Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0xdb1b5e6e) 13241300x8000000000000000161528Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79035-0x3cdfc66e) 13241300x8000000000000000161527Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903d-0x9ea42e6e) 13241300x8000000000000000161526Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000161525Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b73492) 13241300x8000000000000000161524Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0xdb1b5e6e) 13241300x8000000000000000161523Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79035-0x3cdfc66e) 13241300x8000000000000000161522Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903d-0x9ea42e6e) 23542300x8000000000000000161533Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:37.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C07FE8640B8BAF9A1DB2F1356DC5A6A,SHA256=E2CECAE66AC7B53D75E6F582816AB8CD0B06E6D8BDD826497A7B6275D82976EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215247Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:37.206{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD78B2259ED1B6C5FFC45F7640E9FB50,SHA256=8528B38B8797C97364BB335762930A77FD6E04A2700955A44B516C315DAC6904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215250Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:38.805{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215249Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:36.316{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215248Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:38.221{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48035546A6EDB26431294D35C6DBB04F,SHA256=DEBB98F36CD3E267D53ED74BF16A57783B67F5DFB9B838F95CF8B613052BC7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161534Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:38.376{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1644F86E29384D5D04B1017DDD6F05AA,SHA256=49D78F588529B40FC0CDCE4E30ABD67D6AA571F640C789E11116BB723040AF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161535Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:39.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49564B97B7281750D85C31EEBED9756B,SHA256=684653B8214F3B0F4AE0010457E165C2EB46A5F222ACD871A226B0030B36D014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215251Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:39.236{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629D6CC2BDB949F4B26E38A7629C9C55,SHA256=B705728F45523175E2E4E25A61FC4FEEEBF9D8820CE2C01C1276A6679E2559D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161537Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:38.717{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52161-false10.0.1.12-8000- 23542300x8000000000000000161536Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:40.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E1FB714BF89B4BA873947D8097AB5E,SHA256=0965C55389753E6125180AA0B8738D3A4AD18D00D3D46E332C391DDBB3ECB4B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215253Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:37.915{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64817-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000215252Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:40.269{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4E3BA3C48F0E4EC956BF6DAEA153E0,SHA256=F3054197EA866E5D2B16A2C3E5B28821B2307160F9C39383E952660D5FE3EA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161538Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:41.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6201A87B6C7D2229604727211D2065,SHA256=6682ADA26EA23A8B42A076D56B8D53D770333D28C7223F5A997DB0CAA7E01DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215254Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:41.287{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5E5F97C7BE2BBFD669FB2DD4B713BC,SHA256=891E7FFCBE2BABEA445429D9FA8F856D8B41B97A7041F3C6608219142A83C684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215255Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:42.348{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FB7EB5475C2AD007748767423C4504,SHA256=72F926E090C7F117700D62573AF661EFE594413AC45EA7DA8B42361A9A42F0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161539Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:42.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66616C55F86102BF9B2C2AE92B2615C1,SHA256=2CA262B0516C8F8D79DD5764A02A23BBFCD6E1B09A9E3A0F87CE049DCFAB3C29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215257Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:41.373{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64818-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215256Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:43.366{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBB7A1F4DF9F5EF166DCA995F469780,SHA256=B7A7CD3741433BF80CC615ADDD9CD0ABFAFA8ED4430A400F88064786EC072CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161540Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:43.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE60E09E222D5F2B3BABEEE2C9E55BB,SHA256=E2C23D44FE9CB9D6D6E16114C28BE7B83CAEB2F68694BDB3B8B5589FD01192E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161541Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:44.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6E09926FB95CA88DF55D5572D62A1B,SHA256=475E707CA46E5BDF87721B42E1B38882D8B6067BABC687A7002AAC839789A354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215258Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:44.446{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881B50B91CBC9AE958A5F3EFFA4DFAFD,SHA256=0FEB6C70B4891CF7FE4256D98631D35A407BACF84E0B664DD076AEFDD26DE715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215261Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:45.446{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E270943BC10024E7B4AD1D0622E52F,SHA256=EC36DB637856AAC60CC7880016E1FDE34C392268ACEF8F8D3ECEFF1266BB82DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161555Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-558D-6116-0606-00000000E801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161554Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161553Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161552Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161551Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161550Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161549Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161548Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161547Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161546Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161545Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-558D-6116-0606-00000000E801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161544Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-558D-6116-0606-00000000E801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161543Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-558D-6116-0606-00000000E801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161542Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71684812F9B47CFB7484A9B473EBC63,SHA256=7EEA4AAFC67EA4C68F35EB36532BA0786A39F44E259585682CE50BCA7FBD229F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215260Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:45.315{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F885D2424206BD34650255A040E62D5,SHA256=9244424A479FD9A2E49D6D8A6380EC621109C460F20898EA5F8B0830816FC639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215259Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:45.315{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=282C9CCEA1E56A235BC1D3BA156BBBBC,SHA256=A182BF7D933A4B2AA4C45FB414091F00BC98234CB073511B7E3626446FA62A13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161586Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.969{C6197713-558E-6116-0806-00000000E801}2476736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161585Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-558E-6116-0806-00000000E801}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161584Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161583Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161582Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161581Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161580Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161579Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161578Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161577Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161576Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161575Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-558E-6116-0806-00000000E801}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161574Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-558E-6116-0806-00000000E801}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161573Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.814{C6197713-558E-6116-0806-00000000E801}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161572Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.704{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB98B99854BC04973B3F5419247508DA,SHA256=9F1D802A92B9F64BF51EBD5394D72DB2C45DFCFCE29D22089C592EA24BD838F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161571Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.704{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C99CC2DD6F59E8C5F1494B3DCAFADE8,SHA256=D4D5F9BA1BBDCE703C80FE40F3F959EB81A66C27B5BA2D1122E2411BC8AEF7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161570Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.407{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E126317F6E964394AB104B7F5CF887C,SHA256=D924880FAEE3A6A43BF0C0CC48F9072EC1AA225649853EBCDA51375CDACFB26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215262Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:46.464{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF99F91947A856FB0EEE464799D0ED0,SHA256=BB67E93ECB0227F8BB1E913C39C17B025306387234A2393C2ABD3C0219CDCEFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161569Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:43.826{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52162-false10.0.1.12-8000- 10341000x8000000000000000161568Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-558E-6116-0706-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161567Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161566Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161565Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161564Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161563Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161562Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161561Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161560Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161559Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161558Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-558E-6116-0706-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161557Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-558E-6116-0706-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161556Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.158{C6197713-558E-6116-0706-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215263Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:47.484{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D5357A865E49A528745EDA948404B2,SHA256=33A8418648149F6ABFD723E3576C8DDD5799CB223C9EEC261B7510E71E64587D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161588Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:47.813{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB98B99854BC04973B3F5419247508DA,SHA256=9F1D802A92B9F64BF51EBD5394D72DB2C45DFCFCE29D22089C592EA24BD838F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161587Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:47.454{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AF0CC6D3A66DF5C782C7A6C20E4062,SHA256=8E24E0A319F278114C3EACDA3A58EFBE359EEE915536C4385DA22255DB674FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215264Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:48.499{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E62210E377A4357064D71DF5552665D,SHA256=B5AB58B745BAE2E7F523FC2E417C258240956AD9752B609D31804D60AF7A785C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161617Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5590-6116-0A06-00000000E801}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161616Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161615Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161614Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161613Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161612Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161611Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161610Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161609Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161608Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161607Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5590-6116-0A06-00000000E801}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161606Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5590-6116-0A06-00000000E801}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161605Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.783{C6197713-5590-6116-0A06-00000000E801}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161604Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.516{C6197713-5590-6116-0906-00000000E801}27602932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161603Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.454{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D8917D89723398D6426C51BA61F940,SHA256=216E49C34BBBBB1516DF8E5EB6C8BCBEC8909ADFC070A424FAD9833763A96B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161602Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.360{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161601Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5590-6116-0906-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161600Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161599Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161598Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161597Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161596Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161595Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161594Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161593Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161592Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161591Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5590-6116-0906-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161590Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5590-6116-0906-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161589Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-5590-6116-0906-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161647Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5591-6116-0C06-00000000E801}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161646Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161645Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161644Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161643Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161642Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161641Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161640Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161639Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161638Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161637Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5591-6116-0C06-00000000E801}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161636Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5591-6116-0C06-00000000E801}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161635Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-5591-6116-0C06-00000000E801}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161634Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.719{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65EF5EC77D82C2BA4E91CEDA4AC4FC9,SHA256=74DE14A993D495142240E103428395299B1C50DD5A72C79F66CC9F244B0C810F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161633Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.485{C6197713-5591-6116-0B06-00000000E801}3744304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215301Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215300Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215299Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215298Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215297Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215296Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215295Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215294Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215293Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215292Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215291Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215290Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215289Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215288Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215287Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215286Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215285Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215284Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215283Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215282Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215281Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215280Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215279Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215278Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215277Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215276Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215275Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215274Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215273Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215272Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215271Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215270Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215269Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215268Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215267Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215266Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215265Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161632Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C72F71357055782B5B759FDA9BD590A1,SHA256=B66E5FFA5C16755F7EABCD6E8FB99F1AE4CE449C9DCB53696CD16F20BBD1BFD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161631Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5591-6116-0B06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161630Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161629Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161628Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161627Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161626Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161625Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161624Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161623Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161622Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161621Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5591-6116-0B06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161620Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5591-6116-0B06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161619Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.283{C6197713-5591-6116-0B06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161618Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.032{C6197713-5590-6116-0A06-00000000E801}2848764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161649Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:50.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2A1B921E031A2C9BC39E4E8CC6B51B,SHA256=4271DF5DB804BA3FA3E37D1050A7ABE2DAACE98A8D16FECA9513D56391BF9992,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000215304Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:20:50.716{079FE16A-26A2-6116-1000-00000000E701}384C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79035-0x45aa1b3e) 354300x8000000000000000215303Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:47.187{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215302Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:50.015{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415E946B433CC29697F6BB84F0AD8392,SHA256=E548CDF53FD114517FA3CC52259B936A60D0F6CB86CBE54AD0DA84FA612B3012,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161648Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.016{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52163-false10.0.1.12-8089- 23542300x8000000000000000161652Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:51.501{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E6099E709286AC19D0927D28CE8864,SHA256=F760354045ECAD00C9F985E91D3D8265367B26DE93BCCCD87E0E68807ECDB14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215305Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:51.032{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DC0B85A966B29624C45CC2CEB10C5E,SHA256=EBEAE2B64036861EAA2CEC46D722E40D65330A3D1FB8F166DBBEF1EFB7CEA96E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161651Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.888{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52164-false10.0.1.12-8000- 23542300x8000000000000000161650Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:51.188{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BC374E3FD0299A54B0846B36D5D67B8,SHA256=E2F102D15F7245C13B7FEF40099A3C8792081C8E036A5F2586124276076407F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161654Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:52.579{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB872CA650BAAC0AA21B92CEA80ED56,SHA256=4D93678EBC5AA2D7B87138CD8EE6989D017EC4D583A178DE5A66E2918CFF21F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215306Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:52.068{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3534660B5D3D53E233CAC6619FD47B8,SHA256=74F72A46639CF55BF36D86F76BDB065865CD447B91EE6A33289CDF1EA506E180,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000161653Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:52.094{C6197713-26A1-6116-1100-00000000E801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79035-0x467c7c39) 23542300x8000000000000000161655Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:53.625{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDAE1CC2BD82650967D1ABAE3433F66,SHA256=63C6A7689D92C212A5FFCB647A25C9EA106BF93A284661886213FC7D72F23D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215307Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:53.086{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E2A5C9A98018EBD094E590A1B06A6F,SHA256=57B306CD7C4046A982E4A5DD543B9F72206F9C967DD8EC544FBC7BBC025EB71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161656Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:54.672{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CE42EF20B39B6C72D7B8297DC2E2D8,SHA256=47AE1AD27506241420B65275A51F5BFED31366659D78202C3BE77F702BF53E56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215315Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:52.224{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215314Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=7159C34FC1D31216AAB2E6579ED130F6,SHA256=C795C0C0E959A7BCFBCFE05887CAAB8C71ED81A2FE547E94739178DB7C97D3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215313Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D2B9CC9A9201859065C0DA36AA399E6F,SHA256=63F3262833438672F171B69D28A27262138E4BA530FC3F71679B91902E876FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215312Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=513C2AB57801B7DF066795C2E5FA310C,SHA256=08AD7F5CC2845EB8D249AA3B84038BB80255D2D8A406C5ECFD5EEF1B618BBBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215311Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=E42049C10484327BF93E081839FA0517,SHA256=60FCCA2C142F8AC881EFB74F7D96924F5A10953B6DE57D338F4CB98EACB4842A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215310Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=CBA285BE37362FF984E407CA4C680640,SHA256=779A49575BEB9DBDC1E6D6CF5E8022D43B9C57A7F1F1AA735B8A28643B5BD261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215309Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=3DAEC356F6AD246112DD6B5C8682C970,SHA256=912C21AED2D506DCF3ACACD950908F00D2099EEBE3A1745E09A326110768C79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215308Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.101{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D936F3F147F3B7BD74CF6A6184B7D428,SHA256=87BE1555C10BEE66ED127F85758D9E9E1D3223954B7E6F9F525530775E829BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161657Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:55.701{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA86CB1FA9BAB0AD7D102EF5A1DA0AFA,SHA256=DAF02A362FA69B77E069047876F84C2A94BCC7835EB71A1E2D51CD04A57917FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215318Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:55.700{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EA71F5B8BB91B6B57BCB1F00C2B053B,SHA256=BA180C5B87B25E30D581B48FEFA42E45AF9E73D35877DB7B08BC291FE2904860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215317Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:55.700{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F885D2424206BD34650255A040E62D5,SHA256=9244424A479FD9A2E49D6D8A6380EC621109C460F20898EA5F8B0830816FC639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215316Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:55.115{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBC65C7A87101B428D7A852C9D5C595,SHA256=ABB082D50BA6661385DD5AFBE49515130D06D80A5BCA556E4A4EFD0DFAE6FE5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161658Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:56.922{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E16C770BFF6802F40A6464491EC402,SHA256=BEAC849C25D1317C103E5894F6F18F990B1C510A41C54D7202569321487A2A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215319Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:56.130{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACECB3DB5056010E9F69D53001408A58,SHA256=B3E082EB4BFE4347BCBEF931F659B2D5CC2A66BAB0BEEE6A91BB7C3C32654913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161660Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:57.938{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80644BB376FD66C765C43E5DCB353F6B,SHA256=7976C9DE770EE6879AB2B487D17FD250F17CD97BB8E1F559861C8BC837756BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215320Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:57.145{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38ED3506F88F8A7DCB02345FA597B29F,SHA256=67E3D64380AAE351D4423B65EFD10FEA740D48D6F271C7D07B81AFB3CB5B509C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161659Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:54.917{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52165-false10.0.1.12-8000- 23542300x8000000000000000215321Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:58.163{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45893D457F9B1A790C621A3850066947,SHA256=1B0CEB84075690B08527819079C5A7B1CB18E5E914635096A21348E757753A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215331Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:57.266{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000215330Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-559B-6116-1107-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215329Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215328Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215327Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215326Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215325Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-559B-6116-1107-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215324Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-559B-6116-1107-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215323Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.744{079FE16A-559B-6116-1107-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215322Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.181{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D464AC68ACA6EF535E304A641AD17176,SHA256=D5FA4A539971AE05353FC9E1785320317A834DFF3F27BF521001A31B68992D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161661Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:59.000{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5E3647741C9C850EDB8A24F45024DF,SHA256=BC392B283AA12C3C752D9E6E966CF13C23A416CBF27C3DA29B4A0CDC1C2F374F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215349Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.763{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3CF45199125697D70A7BC6303478520,SHA256=871E77E1AB7CF0FC3BA09EE7B3B5469C3721E5A21420DAFFF9222771A051F016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215348Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.761{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EA71F5B8BB91B6B57BCB1F00C2B053B,SHA256=BA180C5B87B25E30D581B48FEFA42E45AF9E73D35877DB7B08BC291FE2904860,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215347Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.627{079FE16A-559C-6116-1207-00000000E701}63725024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215346Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-559C-6116-1207-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215345Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215344Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215343Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215342Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215341Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-559C-6116-1207-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215340Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-559C-6116-1207-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215339Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.398{079FE16A-559C-6116-1207-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215338Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.364{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8A4B17112F98201790AE297AE1EE9CFE,SHA256=3B85E146B31D67B49E83B5B098D52BBABBBF664D339494D3C66F90247EE49A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215337Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.364{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C7A9B9433C08FE8F3B9AA3B51EBF6CCD,SHA256=CF0C8053E6D8A490AAF297BD45F6236F7C2DED94876FB7C2FF81F5156274C8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215336Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.364{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B0A18F0DEB973E5247715F94232B19CA,SHA256=997FE4F451E102977A034310926705209D739CDDDFDEF1AACD23F1C630A565C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215335Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.364{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C3974B716F69E6591B7CB5792C544A52,SHA256=AE05E731AD0AEB78CAB5C40660A76F590BF7A0B619D2792274495BDFF107FD5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215334Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.362{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8CAC2BA9ECB238D117138CACCC23B4D0,SHA256=BFADF2BE9FD7AD820E23EE436F2F6284C5763AB9E14F84517E5838D1FF5EB8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215333Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.360{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=26AF8D61870F44A2628ED1399E41D890,SHA256=3B213B7724AE4E9E85E20698925273475E44676179C13D7695741CEF474883F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215332Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.196{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF6068D1ED981CCF92B35DFEE4CA92C,SHA256=767A68512A284DB64E900068D8023F043FA251D88F5431E96E0D551DADCD8EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161662Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:00.016{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE411C4754ABA5B376B95C9A3A8DEEBC,SHA256=DC2A78096B64CF3558FFFD27C19173B6D377F05A99DEAD958B2BB37AE2590668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161663Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:01.016{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABC945E25C07B371BF0FCB7E2CE7A29,SHA256=85CA2B6910364A2A7CB47D9608A301C794749F39082B1B04DAC1F48A29355E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215358Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:01.227{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF998CD4348614C414900B84A5978A5B,SHA256=441F48AE36FF119A95F7A1EB49746DAA65EB08CC646C018CC642AE9BD169F089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215357Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-559C-6116-1307-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215356Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215355Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215354Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215353Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215352Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-559C-6116-1307-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215351Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-559C-6116-1307-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215350Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.997{079FE16A-559C-6116-1307-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161665Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:00.779{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52166-false10.0.1.12-8000- 23542300x8000000000000000161664Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:02.047{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A19F0183B3D819487A7B91E0CB89AC5,SHA256=02E3EE2047E3F7D94EEDD6B1212E4D395E91DFBC9D6F94255461DE9DB118AF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215360Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:02.241{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12964067F73FD94C2279D60C6F664686,SHA256=1886626E8809A4A39F10F32CA8A02045D223586854526E72791D7F02DF15CEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215359Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:02.010{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3CF45199125697D70A7BC6303478520,SHA256=871E77E1AB7CF0FC3BA09EE7B3B5469C3721E5A21420DAFFF9222771A051F016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215369Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-559F-6116-1407-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215368Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215367Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215366Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215365Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215364Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-559F-6116-1407-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215363Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-559F-6116-1407-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215362Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.794{079FE16A-559F-6116-1407-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215361Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.259{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D79EE79C36E9CC246C07549D3EBFBD,SHA256=896F82D3C8C018A2A10A3388F21A9539F82E75BB94D588CBCD08D1CC46F0C9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161666Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:03.188{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3EDDE7A7277FAD2FEEAF45F9215B35,SHA256=0609535DB07F3A3D15CEF1F616EBB6BFE68A4D7819E93258D2C6649FA037310C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215382Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:02.316{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215381Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.725{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=718ED949AC98F2164D5C29584ECA195F,SHA256=76C1A6EDE0A383AA2EB6C03E05B82CF122BDCE979B318B7CDDB026C0B5CC108D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215380Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.625{079FE16A-55A0-6116-1507-00000000E701}22961232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215379Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55A0-6116-1507-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215378Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215377Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215376Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215375Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215374Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55A0-6116-1507-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215373Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55A0-6116-1507-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215372Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.395{079FE16A-55A0-6116-1507-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215371Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.278{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A30FDD91F74788A2C07DE73E5CCAD7A,SHA256=8081BC99FC1D2DDF14D61828812EC2F384D7F0F722BC0DDDAC0C98EC94916E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161667Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:04.203{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21966B69A2C9FFFC1B5D35C220A244BD,SHA256=131E43F4F9D96884ED28D586219C90442AFB584AF09CE94A64DDA2431F99BD49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215370Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.194{079FE16A-559F-6116-1407-00000000E701}71447064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161668Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:05.219{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF3DBB3F19065BFCBA8E9A339ECD534,SHA256=7A0DD37469F9A3BAB4DC8BF1E8DDB307D8BF2DB1ADDC16092C789A7597293F0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215408Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.961{079FE16A-55A1-6116-1707-00000000E701}65726656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000215407Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:02.832{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64823-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000215406Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:02.832{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64823-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000215405Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55A1-6116-1707-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215404Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215403Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215402Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215401Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215400Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55A1-6116-1707-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215399Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55A1-6116-1707-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215398Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.725{079FE16A-55A1-6116-1707-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215397Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.393{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=6AA0CD7B0C804F479CAB10B216CC0BE6,SHA256=140AC6CD6D42A130C9BCEC8EF6C9C5BF0B65A6820FA05A8BDB05010781CBFE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215396Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.377{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=1C4F54BB566879E85708CDBFFB4FBFDD,SHA256=583F9225F812183CA4BC573995AF7DCD3D83E11370A96D3B3756AE3E0674A36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215395Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.377{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2C667E70B49E8E6BCB5FA44AB3C97241,SHA256=6D402DA4A4361D9CEC4DCEC16CF0907F4961C941FE54E37FB5377F6F1D12D60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215394Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.377{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C355A2502E36E82155E7DFD09EF57178,SHA256=222A767CAF6D7B999633A3172CD8F2B2D5CFF4F42E117B70170B816893715365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215393Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.377{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=939FE3A4B961E1DABFBA20A6EAC1D7C6,SHA256=242B4D2639F70D4CF3B2CAF9AA210A0A31480311D22859E7B26F743D023FF3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215392Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.377{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=23B6FD7635560D1399937EDE2E46750F,SHA256=5DCC42E8D7262E665F234F9ACB320EBCF530674FC67255C22EAF87DB11278ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215391Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.293{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB3168C904EA66E75D4DAE2CE373B34,SHA256=AA4482912255A22FCBE6CE072FF4EC3ED741CC82ADB69F880C92F8591ECF7F47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215390Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.062{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55A1-6116-1607-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215389Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.060{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215388Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.060{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215387Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.059{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215386Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.059{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215385Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.059{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-55A1-6116-1607-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215384Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.058{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55A1-6116-1607-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215383Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.057{079FE16A-55A1-6116-1607-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161669Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:06.219{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8362731CB4AE2303110D3362830C42DD,SHA256=685F9844126538B8885F09B2DA80AD0DC4973737C24481FE8E3D3FDADE1E53D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215410Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:06.308{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FFBC155439970593913C317CED83A8,SHA256=3EA6DFDA75CE2201130BBCA93F8EE7815561F47A6BA73464D98CAE4E5F425F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215409Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:06.077{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD37DF455DD188B6B19ABCC9B904049C,SHA256=6C8C59038A5A07291A0FF57127D9AE37B8BDBC4F946A1352C76CEA201D4884C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161671Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:05.826{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52167-false10.0.1.12-8000- 23542300x8000000000000000161670Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:07.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F3D752733D3BD657164AD539DBAE1C,SHA256=CF5B8721CDE81F74F6D1FF5F88B3B488CD674DB111B6F36279D071F6EFFCE7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215411Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:07.323{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B594AE92C244BFF946F2D43131E754C1,SHA256=9B95F7D4783A4A7A41910FA5FEB912A1944844018F3169B08FE52F12DA479DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215412Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:08.338{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6083686D3277284C5DD4971808449538,SHA256=73D2EEA2EF3DC205136FFD4A396E55506D02A4411E9AAB9315E0895D64E2F073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161672Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:08.313{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190D0042274254E0FE69615C39EBB6DF,SHA256=C9F2E86DD0065BF994C8A70A0E3DAAE05826B0B12456ABE4939F29357D906317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215413Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:09.338{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC9D15DD146BA9D69745567D7B15D34,SHA256=63DF3D39DA7DFAD844A86ADEADBE7113C5F3990B6B239113B8DCE95101C9422A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161673Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:09.328{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6494650CDE0831C9330E536459D6897,SHA256=8B296BC33FCCD6284B56B866EACBCFE2012282EEA5C65A9FF29F182A8F8234F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161674Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:10.328{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4F94BB61E7D7D7EFC9784D8F6029DE,SHA256=2F52B105405F0BA183F3AE6DB01F32112FBD55F83FB43069D09D46E431D7BF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215414Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:10.367{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156CA48F1F2C3FE02B438D02768C08B9,SHA256=C18D6BC14A2E0A0CD1846A866472FAA0F4EB54F1D68CB608096E022AE604D09D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161675Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:11.344{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BE9C595E39FAC850E7F4738043D0EE,SHA256=BB92BCFA6772CDA4A0EDBB60DDB48201ABF1B2890F400D364F912DD55C09DE99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215416Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:11.385{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCD6757D4F88952404354153801BCFE,SHA256=7BCAE34062488FC283BC82B946609A33A9CDDBE448BD4A00AE35029DB43AB04D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215415Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:08.177{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215417Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:12.400{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1528CEF5655E6D9D5F28CDF74B3E0FB5,SHA256=8F1B194DD9DD3CE189762DEAF7ECB688B25020070F73A1C27063AB99EB501AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161676Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:12.360{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AB0ADFA3D020AE21ED69ADC6BFFFF0,SHA256=EE18AF905510EBA058A4DB9828A0279209AAC9FEAEB06A7B103C5860DA3299C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215418Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:13.431{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEED14AAB4FDD1217393449EB548F1B5,SHA256=72798375C5C48CB4A7AC45823B42D2E4EA40765F063964AFE16707D824472C70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161678Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:11.811{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52168-false10.0.1.12-8000- 23542300x8000000000000000161677Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:13.360{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F39E18549A2A18390E0EB654326454,SHA256=2014A9678F5F0787AFA3219B218AAC238E68BA01DBDBC68F11067274A4C35F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215419Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:14.463{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA814C3B582BCBCF8C8A713BD308B4A5,SHA256=75B3D0CAB5535E4D4839254B6260AADA2A74D24B75E63962415987C559E8F3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161679Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:14.360{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A872F07BA45D9C5618ED5B1EC2B94F,SHA256=B55271A405D792310021D8EE238EE5B61928D718BC0BDFEDEE37B547DD3A5709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161680Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:15.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF502B06EBD4420CF2B811633F86E74,SHA256=F3E0A84B22469C2E2BDD216AAA5C4682E89452A09010E465A9C53D6E5E1A4EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215420Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:15.482{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE2499BDF04B0FA94464A0383A35745,SHA256=4A7B5B9A68D6A3D30942D2EE95F75DC75066C97B50A73C85E05DB9FDF65C230E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215422Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:16.528{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB64B85591F99D746BC97820556A1D5,SHA256=978600D255114FC10600CB32F327CC3B21AF0B582D8CAB784BE247C7EA41DA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161681Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:16.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D7E8A9BB6A70EBD22BD8C8468A8D37,SHA256=9E3B2CDDB22867BB51D27E3C3C4A95020D5B6C875833828A57631E0D9C59F5A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215421Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:13.221{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64825-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215423Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:17.530{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C9CF8FAD18032412C361419E4C7CF6,SHA256=66471758C7AC1C2D9B16C7853283C5DBE2595900A1F07612309E98FBA91003C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161682Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:17.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A345C0CE527471BF43E9A21537BC4D95,SHA256=040F82D07A3ECD17D58B7EC1AC252D141A9F324F54A0BBBA65CDF9E042208681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215424Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:18.545{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7413EC6E8B1BAAD6F90804382B62CEC7,SHA256=D80408B8DB4AD2B62712DF7F255859DDF6F5DDBB03040B64485023DE022418E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161683Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:18.438{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D08EF0BBA74942DD20CE3135695185,SHA256=1F887F88803BEFB76BA11E5AA5CDB9DBD47FCB5A1191C237CB367E19B7E6A68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215425Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:19.566{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA0CCB8574955EA9D1DBC1CD39815FE,SHA256=65D8B90032D0A7569786C4D3864EED93D3FB14D408B82C4F7A94DA776CA59507,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161685Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:17.826{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52169-false10.0.1.12-8000- 23542300x8000000000000000161684Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:19.453{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB0CA7BB81FBE66BAC517CCE90935BC,SHA256=CD0CFA4313EE5AE36E83BAA72591D7C5787E0061C64A1AFA9BD3B7437AF3384E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215426Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.581{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC889FBDD1E11A60D697958D7455F723,SHA256=7393AF5C619533CF196C7025DF788AF9B94872B509CE5905AAF7178D521DA123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161686Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:20.469{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98A6E3D7670B9C8B3D1A8DE8A2B2A40,SHA256=CC673C4FE51E732A9F659E33262A3F4486E14F4796CDA062B6C4C841E11B12EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215428Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:21.596{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364595D7600D6FE0C1664987F6F25C7F,SHA256=EA8C172F7DAC3F575A05717221442616BC03DD6B1E9596FE227C604CAC6A8549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161687Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:21.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AB97401FF2FC0EA05FCC754928C507,SHA256=D2C51DCD40DED661B7E26257A67A35C3B81CCAEDE5F0A9990C2D55E082915F7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215427Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:21.512{079FE16A-26A0-6116-0B00-00000000E701}6285044C:\Windows\system32\lsass.exe{079FE16A-269C-6116-0100-00000000E701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000215432Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:22.626{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC83C4C1C3C73807245BEF126B75259B,SHA256=60296B60D2A307A7EC3B90DB76E513898E728759680306AF09E287315DE2D78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161688Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:22.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B4ACC3436D53623F7372B239DE0E5A,SHA256=EA403C7F0D17CC35EA183F70A3486C0A5E51E65C6244B61BE6CA83A6DAD080BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215431Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:22.442{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C942457AA3021C4BB4D8E69592B3B2B4,SHA256=D20C1AA4D72A22902A5E11C02B779BD9A903194B670797487559E4B9976A5568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215430Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:22.442{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222F4B2696E2C39189F18577635EA89A,SHA256=3B1102F9D3194ACD36A4E8997C988C2C033EB15B661B7AD48654A7C21E1FD6CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215429Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:19.182{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64826-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215439Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:23.662{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A18855860016BCEE2F28530FE4DC46,SHA256=C2F7BC857B88201C4AEF5A914E376DCB5CF27CDDE41580F2E8DE8545FBD3A17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161689Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:23.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E615685AD3A303C488FCD465B1855BD0,SHA256=C4C8F8FBC1AD668ACED31B305E63353BA47D93A0B803AD048FA471AAC5B7BFEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215438Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.641{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64829-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000215437Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.641{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64829-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000215436Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.548{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-414.attackrange.local64828-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000215435Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.548{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64828-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000215434Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.524{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64827-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000215433Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.524{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64827-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 23542300x8000000000000000215440Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:24.677{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151E58FFD8D05C2C2ED53A9B6431880E,SHA256=08C68E01C441012E46E04121D15C5DB94D641FC138F3892ACFC5104C94EBF31C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161690Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:24.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5752B1C34A7A91EB522CCA293E417423,SHA256=0ECBB1244C28402C5457D9CA4FDE623373E4B1450E7DFA1CB857E8F36A87422E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215441Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:25.693{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3771C20A3F7F8FF6866BB435F4E353C,SHA256=45E1C982E9817717565AC37104C172B1573946708A05341BD5F2B7EBACBB6CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161692Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:25.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1A9CB872F7AED74816F59B48D1A650,SHA256=25509348D830AA64CBB37EE5DE01BCA8129F3500DB49F59C3C557BE3DC0FD3BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161691Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:22.889{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52170-false10.0.1.12-8000- 23542300x8000000000000000215442Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.730{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1D5A603A6A08EB8E7D613C29BE9FE3,SHA256=5A003429335842DE8D8CA4E238E24584D28B5530E0998D5C7C5B130C7F11B2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161693Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:26.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3755CF4A8A4EBA7B4CB25E297BCAEE6,SHA256=D5F09BAE3F0E3D8FA57E4284499463FC910F99B2F7A9915C493CB3E409A100A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161694Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:27.516{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06681CB9A68B6F349C6582268D0D5674,SHA256=B7965001F0BB70E2A38FE68A9A7ABEEF735C86ABA8DC538ADBAF998B1A35945B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215447Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:27.765{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DBC86E294F004A89C9218EAA5E31AC,SHA256=73DFBABE6C1AF17AE8172928B86C9E9C22B394724B3FF16B54E9E05FB19DCB36,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000215446Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:21:27.382{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x8000000000000000215445Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:21:27.382{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\44A90C05-1D96-49A2-A5E6-242C78701B1A\Config SourceDWORD (0x00000001) 13241300x8000000000000000215444Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:21:27.382{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\44A90C05-1D96-49A2-A5E6-242C78701B1A\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_44A90C05-1D96-49A2-A5E6-242C78701B1A.XML 354300x8000000000000000215443Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:25.184{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64830-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215450Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:28.782{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D02B2E1087F30451F63F27998AEAF68,SHA256=613FCF369BEF27A9DDAAC16979A798718B6394CD403E5F2DE95A45C2EE859E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161695Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:28.578{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC6110983CCF97083C2D1A7AED3B4A6,SHA256=ADB65EBD992A454245809B9BAE7041979FA412553326CB8A504959882FCD5624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215449Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:28.444{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=237F2347FF3039790156D744C889DE90,SHA256=03D480BB32EB6D4C82B1718B43C7FFD9FCBF192DE055940F9BD5C9C50F786065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215448Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:28.444{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C942457AA3021C4BB4D8E69592B3B2B4,SHA256=D20C1AA4D72A22902A5E11C02B779BD9A903194B670797487559E4B9976A5568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215457Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:29.812{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9644BF1E73AEE4D0507FAF8D4FCE410,SHA256=AB9D1070C49516B915FC8D117421A8709748C82C1B98A5934A301F4DA917F89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161696Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:29.594{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A654C95A5E30895000C5D037126263,SHA256=CD02FBC39F9F6B97F683FAB2D386E15AD32CA6D171154AC82B1F2D82AA57A537,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215456Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.524{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64833-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000215455Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.524{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64833-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000215454Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.512{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64832-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000215453Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.512{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64832-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000215452Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.486{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64831-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 354300x8000000000000000215451Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.486{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64831-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 23542300x8000000000000000215458Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:30.826{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66AEE65E639109A9D6C6F4F22F450F7,SHA256=FD2E2D037F8908B49E5F86E29E92A66179799E716D3DF5ED5335A7831C995EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161698Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:30.641{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627AA87D3C864C5B26DFA6DE86F0F293,SHA256=DA9A747C322D727144C4C3933101F99435B8E2083C198BE57C0C4B1FA5374C91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161697Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:28.748{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52171-false10.0.1.12-8000- 23542300x8000000000000000215459Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:31.842{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AEC6482EE39FB0DC006B7B9EBFD59F,SHA256=4C8944A013092C8FBBDF51F637B01137CBB29BA0D85101A597EDB2B35AE7DC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161699Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:31.641{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10C2C743D8A9845853C9E32CD5F9C80,SHA256=9C6B49FC9669AC2FAAFE524C7B693CC07A430BF79FBC2E2CFA94B9494434196D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215461Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:32.879{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA3DCCABDD7EE8FBD9239459826F680,SHA256=E999CCF6F07DAAD237A6007A7C6D65F909B98243F3C42761B32E59CE0F194BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161700Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:32.688{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A0158CCF697FC56949EFD15840CEBE,SHA256=600904C27C2FAA02E3696B0AA3DD94E26F799B9C022F445EAB4C10F12C7A528B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215460Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:30.380{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215463Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:33.926{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCC7D672DF9C0A43334D18EB6453329,SHA256=69393320BC09F16C64B3BFAEA8E3146963614EDD66716C9EB5DA3663F798750F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161701Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:33.735{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B893608346D4D77411A77F5F55422AC9,SHA256=5F6676ABF3828BA681EBF0534DB05141E0BD40F19051BE79B7EAF82514A5E034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215462Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:33.262{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=237F2347FF3039790156D744C889DE90,SHA256=03D480BB32EB6D4C82B1718B43C7FFD9FCBF192DE055940F9BD5C9C50F786065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215464Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:34.941{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15E602D068D01E33E7AD375BEDEDC15,SHA256=BD5C6F2082D2B495B706FAD1BB223FA7C5CB38EBAC0ECB384952611088216FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161702Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:34.782{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8510A8C5EDF0822D2F36D1EB4B066DF6,SHA256=8A118359EFD2CDDFA696504DCBB00B5CF1A239AB0767A5BF63020C0325AFA676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215465Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:35.959{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBB84AE8E295D10EF5AA8126F5BBAA3,SHA256=432372DFD9D8E2A74EE360EB39784A2A9A0D6AA0D88A83A2697CE43EE27839F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161705Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:35.782{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8D8E0D82A7149D4159C15A1F6DFD5D,SHA256=E81DB14AA72129C4E901679C8890F153B7A6CE541EDC67F1C84308835D37230F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161704Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:35.313{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5BBCFF773F7C4A7EB94C619BFAEA1354,SHA256=3C9AB0DAC0C3CDAB2B3C1C13F53714E752A1A1D10631730D1398161A7A16A530,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161703Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:33.764{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52172-false10.0.1.12-8000- 23542300x8000000000000000215467Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:36.976{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C97A9FBAD66307023803FF2653A860,SHA256=8EF715084CC237D652C7AC02F07CA480805C10EEB38A12053F9C640E89B283BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161706Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:36.813{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880F5680B29D8F19A6B4711B457390B4,SHA256=56E2428CBD39DF3B5FCA2E0B3D59C48664D81170A3B48615411C8FAB8EE18561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215466Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:36.908{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=28DC80CECFB5ED05195443295F9F533A,SHA256=7AF43D5CE70C3E228E22696FC99ABF16CCC0371055222BFCEAB86A6F59E808E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161707Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:37.844{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE4C73129473C30A30356CB0DE3C558,SHA256=3A67CEB50B983825F50E3448E5252A431A8B1D1A23B19E1E4901CC8370C66F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161708Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:38.860{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE254FE900C34545B6D50CB99CD98B3,SHA256=408914A836EB5C88023DD029EB72F6F045BCB568A78CE50387652E1B65A2AE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215470Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:38.837{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215469Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:36.277{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64835-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215468Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:38.038{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DC67ECEA545E697AF2FB5CD7073FE5,SHA256=F37C1AE0686014A07EB712E73134E4A24683EC78FFA46D87233048BE03BD4FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161709Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:39.891{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CDB8E014AB712D2FB172768354056A0,SHA256=DA398D5DE047BC03F6CFE163E514AB2F96261C536518E56555D1703FED34333A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215471Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:39.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66861910A86AF2950FE6CC5E79871DFC,SHA256=75C54B75174B2E8A040E59889F676BC6CDDF5517F22FF66C2868DA3C0DFB43DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161711Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:40.891{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56ED4EC615108799503F8BDBA625699C,SHA256=E265B0B5201980F7CD29CF22284CF835B5A696F45937878362DBF6AC5CF07D40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215473Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:37.945{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000215472Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:40.090{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F6F5EF645E39C7F9A50CBDEB20707C,SHA256=7A7B0E4078FF057BB049003651A49243C6547D3655F5CDA469EC145507876739,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161710Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:38.796{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52173-false10.0.1.12-8000- 23542300x8000000000000000161712Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:41.922{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2BE23F2CD2E4415B7AE0B38A1EDC74,SHA256=9DEB1F34926B10F98B9E0973A473FA169EA82DE2FC2934A0A7B1F568FA4CAE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215474Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:41.105{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBEAC2971F4BBC24BD4E70EB2735A81,SHA256=04EED7212A45AB8C8C66A4B24B78CD7378E22AA6F7644B2C61E92DBE969D8A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161713Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:42.922{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B786B9E02559D634A4E08350E03FAC,SHA256=CE90D487F30E9A46D4C06A22796CAEBA5C2D20C210BA11B234DF93BC45B976D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215475Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:42.108{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE68888BC6323F456845B3119BACDA5,SHA256=FB500CF9099724F8EB7D59AF4413B961A87C128E1127E73FDF1705647EC359C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161714Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:43.922{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C2FA5F661FC348231381F4053F253D,SHA256=CA8EA5E11FE7291D7FB182840A0DE061241437B7723BA36E12BA6C9AF47032A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215476Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:43.121{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31ACB1899BC16DB24CE9F23D35C2FACC,SHA256=510D2F8EEB6FD8110D7D546242708592818D911055BE0253B310D1EB08354315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161715Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:44.938{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588B20102655D804E6EFFA62A31708DA,SHA256=DAB8B7D6F03D83DF366F3A0ED6854725B7677CAD3EDC5A84EE9958F74B56ADC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215478Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:42.228{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215477Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:44.190{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1816C6E1A21B5BCD8FEF844F1D69B323,SHA256=2B8BEBA0BF2964788173FCFE72DA99214D2427EED830704DBEE973D1B33F101F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161729Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.953{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67D47986280004B34A9F99961E747D5,SHA256=13D9AD6897F5FCBAEF80D68310F61143B302AA6E0A0E8E7F087C8F8B1F2DAC37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161728Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55C9-6116-0D06-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161727Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161726Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161725Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161724Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161723Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161722Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161721Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161720Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161719Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161718Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-55C9-6116-0D06-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161717Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55C9-6116-0D06-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161716Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-55C9-6116-0D06-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215479Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:45.220{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F8A52B291169C9B6FFF483447EFC9F,SHA256=C23A2B75B93546E0A7776310EA53C161AA1595158AFC17C7C3D05BB89B4A812E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215480Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:46.235{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C0C4EB3544B94DC4C103FA602DE7DB,SHA256=EC8DD0702C10173BD8478764310F3C7110B6C661727C39758F42013ADF47AAF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161759Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.907{C6197713-55CA-6116-0F06-00000000E801}2564868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161758Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.719{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDFA8AE85A11D4591247FA154B1CFAEE,SHA256=E703379308DD0DD56FA70E07BB1A7EF5B579B0C3A85A90D567CB1F530259C5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161757Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.719{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA826F20E7D76791B206781B1384445D,SHA256=CF4BAB7466B1117CC2EAE146E0310E88FABE828DB8E102209DC8FC242DD810C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161756Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CA-6116-0F06-00000000E801}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161755Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161754Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161753Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161752Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161751Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161750Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161749Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161748Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161747Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161746Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-55CA-6116-0F06-00000000E801}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161745Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CA-6116-0F06-00000000E801}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161744Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.673{C6197713-55CA-6116-0F06-00000000E801}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161743Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:44.796{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52174-false10.0.1.12-8000- 10341000x8000000000000000161742Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CA-6116-0E06-00000000E801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161741Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161740Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161739Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161738Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161737Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161736Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161735Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161734Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161733Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161732Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-55CA-6116-0E06-00000000E801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161731Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CA-6116-0E06-00000000E801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161730Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.173{C6197713-55CA-6116-0E06-00000000E801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161760Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:47.000{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710FAC7CD4EA9CB13B422D64CF55F9BA,SHA256=C8B1CB4B76337C59FA6D445CEE2060D72FA16FC69B9A5714FFBE8D95371BF98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215481Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:47.253{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69769E413E8F85724EE91B3D30DDCCCB,SHA256=B08EF49ED42003108BDB75523A72E6018FDC90A64868CF789A7B5D232971C237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215482Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:48.271{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323AFCED681AE6321F6AC371971E34E7,SHA256=E66680DF29E4D1A837927CC7E6201DC05EC2DC0E9075804FF00AFB68C54E25E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161790Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.985{C6197713-55CC-6116-1106-00000000E801}28363540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161789Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CC-6116-1106-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161788Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161787Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161786Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161785Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161784Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161783Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161782Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161781Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161780Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161779Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-55CC-6116-1106-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161778Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CC-6116-1106-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161777Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.798{C6197713-55CC-6116-1106-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161776Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.610{C6197713-55CC-6116-1006-00000000E801}26641192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161775Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.375{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161774Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CC-6116-1006-00000000E801}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161773Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161772Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161771Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161770Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161769Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161768Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161767Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161766Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161765Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161764Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-55CC-6116-1006-00000000E801}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161763Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CC-6116-1006-00000000E801}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161762Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-55CC-6116-1006-00000000E801}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161761Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.235{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7225CEBFC6D9E15DEA8B304484C1A911,SHA256=44EC31C58D6F9A7B3F85606FB35729255F65C5A5D45E21769F933CFAB354C33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215483Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:49.302{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC53938633FC19DEFF0FDC37677783F,SHA256=699E4DA1557D1F28CC735A1843446396962B631D7FC3BF851D6496D70FE2C6A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161820Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CD-6116-1306-00000000E801}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161819Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161818Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161817Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161816Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161815Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161814Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161813Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161812Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-55CD-6116-1306-00000000E801}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161811Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161810Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161809Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CD-6116-1306-00000000E801}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161808Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.814{C6197713-55CD-6116-1306-00000000E801}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161807Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.547{C6197713-55CD-6116-1206-00000000E801}31202236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000161806Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.033{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52175-false10.0.1.12-8089- 10341000x8000000000000000161805Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CD-6116-1206-00000000E801}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161804Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161803Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161802Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161801Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161800Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161799Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161798Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161797Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161796Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161795Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-55CD-6116-1206-00000000E801}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161794Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CD-6116-1206-00000000E801}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161793Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.314{C6197713-55CD-6116-1206-00000000E801}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161792Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDFA8AE85A11D4591247FA154B1CFAEE,SHA256=E703379308DD0DD56FA70E07BB1A7EF5B579B0C3A85A90D567CB1F530259C5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161791Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.282{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4810A92D3188A2CF08C3EE3E2F4DBA01,SHA256=2E68D1FB99D10A78B725E28FE0452B6B57A228DB5780B9BDF01F8E869AC9A93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161822Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:50.453{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BCD33F9BD755ACDB1CFD3F6FD4EB5C,SHA256=FB08009FDEEF589BBC74799165437758E54A24C518CB448F331C9B45539879F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161821Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:50.453{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67DBE9592DC7A45DA800DBD51BB6FE5F,SHA256=B8D8D2E694CA966ADDA3036F61B7E13240CCD87B9BFD38867120871344C03393,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215485Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:48.272{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215484Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:50.317{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247501F3D291E90FA46194667C43971F,SHA256=2AF0A4C1E4B683A17B62619D85363B3C93979A3D27AF22F3DFFB62BA026D0CE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161824Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.811{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52176-false10.0.1.12-8000- 23542300x8000000000000000161823Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:51.516{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4E34C7E68930AFA02F7E2B26D8293F,SHA256=7CE062C564240E01CEDE30647A9979E541B2E34CAB16ADC7365A9AA3A9389948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215486Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:51.332{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300688200D114EA862DEDAB6DE5ADF2D,SHA256=17A4EB292928BBF7BF9CCED9D2831FB6BF3411276469F7B3DEDB0CC3A67953CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161825Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:52.547{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8462BF30E91892D91F54AFAA2BD088,SHA256=F6BA164B5D166623B8AC83F6B324B1B37D7BD9D815FE31E4A61E19B3BA6E5D6E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000215488Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:21:52.715{079FE16A-26A2-6116-1000-00000000E701}384C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79035-0x6a9e8bd8) 23542300x8000000000000000215487Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:52.369{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5454F7F7432D989884AC310ACEDF9B67,SHA256=601FD9852D951C7D7EA90CB31B69AB1C236F4CD76999A58D9EFCFED8FF1129A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161826Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:53.547{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AA1E080FBFEE1F96B3429647B41594,SHA256=D34D57D81C9CBDB0E2051A087557B0E3DBFCA62D9374E0F07C6D924A95AD003C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215489Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:53.369{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E95F8FC315F07A2A03D07402A526BEC,SHA256=FF6D7E5FDBC863275097B15BE18B7E87EE6D626A96314A481DD080E5E60EA4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161827Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:54.594{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B76F5422227249B6EC7B7A284B3C31D,SHA256=C83ADA9C2BE65AADE3F09870E45A3594C18D402C6B326072BB4B0FA6913EE4DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215491Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:51.822{079FE16A-26A2-6116-1000-00000000E701}384C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-414.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000215490Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:54.370{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307775EF007372F08098BAB5E2917FF9,SHA256=43391C3E816D7E36BF53BF91634C6A0489CEE52CEE0EA389CDEFBC41874080C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161828Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:55.634{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B582DB5CD7939298C11E0F9C37EC995,SHA256=25CC072C6EEC0580048362A5BFB45BDE92AA30CB46FC6AC13EA3541522DBB7F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215493Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:53.409{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local59431- 23542300x8000000000000000215492Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:55.400{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FE864D9EB99DA43DD934E1687D4C6F,SHA256=C34AA15D0E35D1AB3A213C067D45184F6E9B0D9AE05A9C1AE63B70CBA309855A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161829Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:56.724{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D039DB058F46E7B2AA0A343A088DF1,SHA256=567865570CA34B8B0424EF1C7FC7FD11FB258C4D647D85E17223328821C6598C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215495Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:54.274{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215494Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:56.415{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BE0A0CDB9DB72B5002F5CF2540128B,SHA256=D4518BBA19A11F8F78AF17C8BCB84CCE43C1AD55F4EB1C5E4F36B243D0BEA865,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161831Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:54.867{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52177-false10.0.1.12-8000- 23542300x8000000000000000161830Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:57.737{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E84B7831230BD1978BC5B48E24112D,SHA256=C714F2D5AFA7EA98BCAF6F01EB33DDEBC711444DDF39BC366C9A22F425D180BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215496Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:57.430{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5DEC2578D6FC1D41D63D19F3474EC6,SHA256=EDAAEAD08F864AC400596EB310B0A1D38F0ACA62C92AE95A7866B653522C11FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161832Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:58.737{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35CD9019267A974C6C162CE89019572,SHA256=C4103F8AD7AA8999D0E268B05BBBDBD656F46320580E0B4B8F0F6BAC6E1A189C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215497Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:58.466{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2310EABAF2BA66356DA95D4656054A2A,SHA256=4408FF5A0320B17BFA629408156FE7AB8B4651723E64A30497F658B6DC3B0ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161833Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:59.784{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2450A48C7351CEEA659F813854CDCE,SHA256=EEF4EDD4C4743B22B39C237B2C5514C5D38C3E007555C968D1BC51866D734F5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215506Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55D7-6116-1807-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215505Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215504Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215503Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55D7-6116-1807-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215502Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215501Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215500Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55D7-6116-1807-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215499Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.768{079FE16A-55D7-6116-1807-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215498Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.497{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382324D4FA2DB99C8D12F37D8E0D27C4,SHA256=ECB2B3F7089089D79C7DADC3F2506693BE26660EB60FD9397EB4D0ED483A7563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161834Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:00.800{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC197400C2C020FFC29DC0C3853F55B,SHA256=3100EC926D5A30CAC77EE9EA53BF142120AE2A245C0626A03F63E0C89080EC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215518Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.779{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9E7C4EBBAEFC34FE6019CA1FF28C889,SHA256=0E549314903F0F67467BB196A520E4B59816D7551D8FF298B094C2B382B75A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215517Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.778{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4073CC7B21ECA82CC4177C1A1733790C,SHA256=7498E73291387BB7036F58E3902BFAC9DE1C580766B3F3F930CD317E53198E64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215516Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.679{079FE16A-55D8-6116-1907-00000000E701}53605892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215515Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.526{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635B50A1A6645B7A6B95D0AB679540C9,SHA256=DCE1BBA12759CB1CD24991CDDC7D81CFE33265901ADCE64DFE6D6C7549E98CAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215514Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55D8-6116-1907-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215513Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215512Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215511Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215510Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215509Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55D8-6116-1907-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215508Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55D8-6116-1907-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215507Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.359{079FE16A-55D8-6116-1907-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161835Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:01.862{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BEDDB4D5211482B1E2A798802824CB,SHA256=175F2626ABEC1DA2EFA98494DB1F4FA26DBF3DE648FFBDF4FA07B72F10CF4AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215527Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.558{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B34A0DDFD9608028F816635A8E5DC63,SHA256=A0535458B4871738B67545844B0FDF54C5AC6102BB5E87FC0235D679CCAD22BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215526Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55D9-6116-1A07-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215525Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215524Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215523Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215522Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215521Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55D9-6116-1A07-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215520Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55D9-6116-1A07-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215519Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.211{079FE16A-55D9-6116-1A07-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161837Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:00.908{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52178-false10.0.1.12-8000- 23542300x8000000000000000161836Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:02.925{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB511459AC3B926D0BD9E7CA2B9CCF64,SHA256=77026B1CB2499A32AF1020F24E484CCD1C646214411319C6B5671BB0A50E0E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215529Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:02.579{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E10947DE16E65ADB8838A5B129A112,SHA256=AD2E93C4E384DD029B46395234722823FF5813EA7320DFA755049BC2C7DBF3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215528Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:02.241{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9E7C4EBBAEFC34FE6019CA1FF28C889,SHA256=0E549314903F0F67467BB196A520E4B59816D7551D8FF298B094C2B382B75A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161838Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:03.956{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD63DC650D8B30D696A23C4873687F5,SHA256=30A35709CA2044AAFB811104D2F2D4B1A4813498BFDD9910F71980B04996BAAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215540Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.956{079FE16A-55DB-6116-1B07-00000000E701}62406432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215539Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55DB-6116-1B07-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215538Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215537Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215536Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215535Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215534Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-55DB-6116-1B07-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215533Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55DB-6116-1B07-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215532Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.727{079FE16A-55DB-6116-1B07-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215531Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.594{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BDB3B5CA05B09C5ED6178CFCF49BF7,SHA256=D4D24353D3F1A34089DF47A81D6A46F7733AD009DC2357B81C9C506729F89301,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215530Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.317{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64840-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215551Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.724{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45245E0A0CBF07546705C596D8269E11,SHA256=5464B3EA0D604E0F3CFB35DA459A278F87FE152F62F685FF962732229E33D5DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215550Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.676{079FE16A-55DC-6116-1C07-00000000E701}51685332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215549Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.609{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687092DAFA0D06E7894BB71BC99E6821,SHA256=5CDBCB1D02E51BE1DA3951881E3D030302B059CB89FC291046473039394B9B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161839Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:04.956{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA84DE938D69BDB4DEA78E281A8E0F86,SHA256=30761484B14B580F75C320B0F12EDB867BA7DC3054371D4C6AEDF4BE599AD024,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215548Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55DC-6116-1C07-00000000E701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215547Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215546Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215545Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215544Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215543Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-55DC-6116-1C07-00000000E701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215542Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55DC-6116-1C07-00000000E701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215541Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.395{079FE16A-55DC-6116-1C07-00000000E701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161840Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:05.956{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3050236AE8CB9E8BF637C1A02CFDF7AB,SHA256=A217E69E61EEBA362F9F1CF14AF17BACBD0AF3AE6E5B4B7CDB148638065C2A8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215571Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55DD-6116-1E07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215570Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215569Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215568Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215567Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215566Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55DD-6116-1E07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215565Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55DD-6116-1E07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215564Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.725{079FE16A-55DD-6116-1E07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215563Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.639{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4085A784DDDC537A3F738445EE573027,SHA256=770C046D27E2E01780BF4575D6035F13CA56DD71F5999FED669358B6DBF9AF9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215562Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.277{079FE16A-55DD-6116-1D07-00000000E701}10447144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000215561Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:02.833{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64841-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000215560Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:02.833{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64841-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000215559Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55DD-6116-1D07-00000000E701}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215558Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215557Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215556Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215555Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215554Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-55DD-6116-1D07-00000000E701}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215553Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55DD-6116-1D07-00000000E701}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215552Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.056{079FE16A-55DD-6116-1D07-00000000E701}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215573Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:06.660{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232BD6624F125B19F34F37C586989656,SHA256=4CB36A5D5DEBA4D5720E0BDB33C443FE3E0BBA81940BFB07560C7EAA59409C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215572Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:06.061{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40FD0D6059E9063CEEBEFD7EC7E0DB3F,SHA256=A35C7D6D5C3945595D4AEA2FFC35AB3CB07B34340C1EEFD1268574CA80CF123F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215574Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:07.676{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A29C9160A7059109CBBE249E0E1744,SHA256=7A5A4C518AD7E31B9CE7D711B74AF3E517DF943ED02EC11D76886DE0E661F914,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000161842Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:22:07.518{C6197713-26A1-6116-1100-00000000E801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79035-0x73714e1d) 23542300x8000000000000000161841Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:07.003{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F3ADA806FF65AF525AC2BCAD87DA38,SHA256=AF9CC736B821AD4B0BBD52EE05F2ABD1C118334D5C699A66694F58712235D601,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215581Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:06.620{079FE16A-26A2-6116-1000-00000000E701}384C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-414.attackrange.local123ntpfalse10.0.1.15WIN-HOST-867123ntp 354300x8000000000000000215580Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:06.162{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215579Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:08.691{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24BE57F9E90E4DE03C86D2F3C648108,SHA256=37A948B1B4AEA027702595A58234A56D57DA357D5646A40C3F0894BB10055D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161843Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:08.003{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53730A2A9CC9694F53ADFDA940876C73,SHA256=FF35135602506BC64FCE71734CE327ACC81DF6E6DD7B8AD10D64EB6A4FD0DA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215578Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:08.338{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1810933698989DC8FF6227DDBD3CFC49,SHA256=D732121C3353A6EAF92127915F407861C5997C10A5463C20F10FAB39483C2E68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215577Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:08.123{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000215576Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:08.123{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215575Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:08.123{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb8a180.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215582Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:09.707{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47817FC007D788E86519FE0BAF4925D2,SHA256=3D0FEB247E6B973A08E8BB47F2DBB9D7119329A47059BC2ECF9B7880D6D3505F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161844Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:09.018{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8143ACC568865779574AE7B5F82179BC,SHA256=7EB12DDD4DAF0CCD1D54F7F6DF35282F4AC4BFF6A330CAD1318A97819917C5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215583Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:10.722{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2A3C83D5D4FDCC5BD6BC10E68D05A7,SHA256=335E933A5AE1D8F067A48B40D34CBE98641A36F57ECF3368E811D7C79740779A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161848Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:07.173{C6197713-26A1-6116-1100-00000000E801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-867.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000161847Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:07.173{C6197713-26A1-6116-1100-00000000E801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-867.attackrange.local123ntpfalse10.0.1.14-123ntp 354300x8000000000000000161846Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:06.861{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52179-false10.0.1.12-8000- 23542300x8000000000000000161845Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:10.034{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041489655E3F0B7A8585A766B7B7D520,SHA256=4434D5C5158C57E36E136A62F94662D1E6FD0934FFF330040919E6FB79B6B342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215584Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:11.736{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D547DD2D01A6EA5FC47AA60AC6F5535,SHA256=0CBC7D3FAE2F082C336392451F797D78F18C425FBCBFD5EEE8AC22422E93F28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161849Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:11.050{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE00792D7738E2D020763691FEF28FA,SHA256=609794518B469243444602C55F926E3E880E721D07482091F077A0B0A55283D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215585Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:12.754{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2177C19A0BC4DA1408334AAD16DDAE,SHA256=52E0C6427F29594B25BDC7F539DDA6B46C9ACB700CD75AAD38BEA2CE3A462B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161850Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:12.112{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DABB11ED146AB852FC2AAAA8F65684,SHA256=63BD7A8F7DB5741384B7223DAB84DAF963BFFA9F08F101DA8DA4E4532B8F43C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215586Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:13.787{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9CEBA8603F6E79B403A6A3826B4092,SHA256=9CDE1160A1C6FF9C118DCA1A1F1BEE8772529B45A1D31E9A09B17C05436DD2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161851Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:13.112{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B395E19D6796BA3C3BAAE855CB537E51,SHA256=0C79D9FFFD182985EDDFEBF7BAAAE47EED8D5ACC6D9AABC04BF9758775280ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215588Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:14.804{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A236264458A27FD6C221FFF101A73E,SHA256=D00F4BB4A9C68D180416B94AE2AE4BCC7E3843E8B1C5BD6542E9C4F0EF6AF11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161852Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:14.128{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D94A6B8ED4729FF178266771701DA8A,SHA256=0EFF4B716BF466740948B4EA1991C40038781EA3918134D7FF6C506D0EC1D843,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215587Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:11.196{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215589Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:15.819{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F17349B622ADF9740117BB829360A09,SHA256=AAFA6FA9C74A775DAFD7751DFA7E9C4ECB2DA5C41AFDDB94B9B00B50FA446248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161854Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:15.128{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03575C2CAB67B5A613393B6D5AA443BD,SHA256=6E5F4DE868BE4F3964FEF318F13DE68932215C6B43FC5BDA5578877137DB65A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161853Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:12.752{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52180-false10.0.1.12-8000- 23542300x8000000000000000215590Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:16.834{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2EB33BAFE72481D67126DAEACCD0C9,SHA256=A1F711778D79EC274C74279736C2E2EE334453CFA26E43ADBDFD461F346FADD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161855Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:16.159{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E9A526746D282F447FDE5F99B26496,SHA256=1FA82F9EA1EE0578D09B2CFFEE196DF6E332927FBE805008A48A550FCA8F7D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215591Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:17.871{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FA2B0CAFC3A994C06416E5CE1D0A10,SHA256=CACA1AF023AE771D6EA7CD993F082CA172DBE75B20C6F991E8FE2FFD3F136A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161856Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:17.190{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFA7E768C36AAA663D221DD65C61CE9,SHA256=6E67722D70EABD4CDB82F2DD8914523F3999BC8110248EB7CAB6F686B79D9E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215592Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:18.885{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5803F7991A8FA91B30C16937B145A3A,SHA256=033FA68E2EA7561EE7A1C760AF05259613632B271B18A1FF4E4E8375C38DAFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161857Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:18.190{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B94FFCA94063693BC912EE9FEF4E21,SHA256=49ACEEE357FEBA7E244055CF33596D1AD3C84114EE7598D8F377240D221A83A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215593Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:19.915{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D61B2E99E4C21FAB70A449DC44A4E3,SHA256=7B6DBF53305839277D8844515C4CB4C6FC489FDC123C263689BBE6099C1408DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161858Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:19.206{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001E0B16100C1E4AD4C81C1D2BE0C053,SHA256=FB79BA00A2D141FD94258153D686F509213245EA443ADDBE36718188EF82A42A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215595Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:20.949{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F283438AFB6D099F2FAA74FB0A7A88F5,SHA256=DE9710C574A73E68F0741CFE41235C8A94600CA1DCAA73FBA9EAF866A59F27A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161860Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:20.237{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637EAA9F1791DD2BF2FD15B25D8E732C,SHA256=3901F5A6BB2D31B5A189FA009E43C60FD5D3A9DA7510C6B4604102EACD8BD293,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215594Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:17.156{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64844-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000161859Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:17.908{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52181-false10.0.1.12-8000- 23542300x8000000000000000215596Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:21.968{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E4D8E30BC57D4C730D5236B4084DC3,SHA256=C4E7FD21CBD3E2D8BEF4D2CDCA49EFF134D095DF7B3F999A206A5210DC1BFBF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161861Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:21.284{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A79B9A74FBD827D1BC60D388D689281,SHA256=5D5167C6B2651CE8266A998FBF37EE65EB2BBAD8F23B854614B0731894414831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215597Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:22.984{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DD30791E96DFA9D01EC4B01E7B0577,SHA256=3A2F4FFA9AFCA4D87964BBAEB87B3029BE376A3399CB46274844B02C87A4D32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161862Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:22.300{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E964B9EACE67A772F0B4D12510E602D1,SHA256=4DA2A9B8EBD9CE0A5EB38FADA786C38005C437030326E8C8CAB6FD80B8D52781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161863Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:23.300{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E843ED65D25FE7FA758586189622D829,SHA256=B1A89E5A0C0A89E10818845430D581B84E4A40F92777E97CBEA620F9C405C792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161864Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:24.300{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A93FCE75B78B44F95FBA1845722B4BE,SHA256=7BA4E1F62EB9D6D811EE5432D714D716654068C2F4993ACC46BE621A1614A9E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215598Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:23.998{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF96D6BEF79C294C274F76184B1A3765,SHA256=17068973AB6BA01FDB1241B191F3B045B8EEF01CD992E566E5B539851D055706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161865Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:25.346{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D90F67E4A24F836F346DE544D436DF,SHA256=8D8243A9EC382CCC08B380C05459F57105761A07FF59FBD2B02895B6E81CDE35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215600Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:22.291{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64845-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215599Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:25.013{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C625A61ACBD258C8AFF91ED9F421DBC4,SHA256=BD47D8C4F58988F0CAF6A63466127F384F480AADEC5FA4EC1B97880B76CDA519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161867Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:26.378{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182F323E20D694D1BD40AE069006273F,SHA256=3654ABD7532CDC14679833D583133591A41214E23A27EAA6D3DECA912ADD7484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215601Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:26.029{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2707112CCC857F97D629C23B1D3C70,SHA256=582C1145DD596612A312D63C5F996F0ECEDF760D1ED254B8383E395F7A962000,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161866Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:23.752{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52182-false10.0.1.12-8000- 23542300x8000000000000000215602Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:27.046{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663507485F319B1F07FC433511B7D9A6,SHA256=1469120BC29313E4928CB2551C65F716F62F274B75DA8A8EEF119C4E67EEF0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161868Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:27.378{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088126FDB8188BA9B0A4F2B938378CE7,SHA256=1C119557A73777A102FC55E75ADB2C8FA29D815E57685632494607FC988C77CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161869Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:28.424{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AF4AAC81768C71B7DD61A7201820C9,SHA256=1F85EF33528695160818DEFB77944A81EC2F9A912232C638BBD69E996E67AE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215603Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:28.065{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864EDA190399B07E5CC6E37FB4822C3C,SHA256=246CC8668ECBDBA2F49923EB09C385909A76FC642E4212BE9B7205324461F01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161870Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:29.440{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D70154D788D0E5ADF64DD4B243413CB,SHA256=3035E09C298784ECD8A4F47D273543AF8010997FD27F52CCAAD139F9F95B37B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215604Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:29.080{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE0780B1F0C5DBA2A5723BF4EF5D4D9,SHA256=5D452781A6F8FF50B37C51CE45F6C566D89B383E32A98B8920247BE44CEE8262,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161872Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:28.783{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52183-false10.0.1.12-8000- 23542300x8000000000000000161871Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:30.440{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3DB367A0D4D778FF46A917EAE0B54F,SHA256=0FF612785BD68FB29F4B88694DE03529F6FDC1034FD143F49FB70195189E4CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215612Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:30.664{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=62079AA28BA73E2103220BD5EB3F81FD,SHA256=2128E1BC06949986FEF60D15E14C5C75AFD60C1967A7A96690C5BA3433DF5B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215611Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:30.649{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=376A526DD97B74E55CA9AC5CEA04DDE4,SHA256=A7C1FA5F34B7D95B36850149B3D7ECE688F95D20C960220B5B597EF04893F534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215610Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:30.649{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=1330F98C96776487254CE570CE1E7D7A,SHA256=8F7C160B45AAE3FC60E40A0558E315962BD0E4593491D8AA068CCA609F497379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215609Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:30.649{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B0E5129590299239D890EBAC4FF00E69,SHA256=C9B7AEC934782B9F4CF14BB1E62424250E9213418AC3187C26C7CD9EBE889E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215608Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:30.649{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C139F8B560D004554322AA21CAFD7314,SHA256=CD9C67BD1EB62333D86D839D2BF64D400DBF1B9D3B08C5C85FF5F780E20FC682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215607Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:30.649{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=59A17FF1A643C1718282013622BC2BF9,SHA256=F002D7DC56D881239C5D9B532E94B9B64EC1CA6EE91C18353EBABD3EF7F634A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215606Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:28.319{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215605Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:30.081{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918FC251B72184BDD9AFB26E77B130CE,SHA256=B76B83A563123133F05680041D02BB7B6845D6310F81D7EE154A3B7DD10CBDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161873Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:31.534{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C9AF66A9E453AE153F7CB517DAD9A5B,SHA256=93230636D39E48D29AD071A109D244AAED809615397A51AE9D32DEB9376D8D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215613Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:31.095{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9862090819419280C4FB52C5C6A52310,SHA256=64FBCB10ED67CD11D4DB530F4A1846964742F1EF8E4C65937D416F51571AD039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161874Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:32.565{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21936BF72FDEAE5392075C0FA1C95D6E,SHA256=0AEA17B4AC46852AE094CF73305D76DA8F1599B6284E32B09CD8165927FB03AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215614Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:32.126{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31869F2C41331139AF323FAD2372FE0E,SHA256=8E9A149E46FE4E67D368076EC4F6DD005D443D1B1D9F899AFCB45627EE4167DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161875Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:33.565{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC82B79E1C850E614BE1A04BDB9B5137,SHA256=AEA5C228B9A8BE4F809E8B2EC5D180A11A4499857800833D4A08AF5517243B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215615Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:33.144{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4B2B6FEC14423C523D9565896E1BC6,SHA256=8C14CE52374233D9120933858EAC43531958A9EFA86EBBDC4A0EC96327705A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161876Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:34.565{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246E0992A0F657008B6B00EC1EFB7B4B,SHA256=BD34D2C51F51B6EABEF130E50100F1B08F798F9FBF692E58735CCF207B234A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215616Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:34.161{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C90CBD160F00648B6B8C8686BBD7BD1,SHA256=C4BD28467776AD9CBEC7D09738E25069285B0ABD0A0C2CDCA0028A1AC9E84B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161878Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:35.565{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6FA3864FDDEDFC8148B545631C2DED,SHA256=D829C88A524F3863CA8D32D4EF9BC1DFBFC79B66D503BD0987AA76F1B0D9CA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215617Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:35.176{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2C70AA46121DC2C8B5521EDDB793E8,SHA256=A77C2F7C2AC91405782E9BDD83641534186D8B66261F04CD67161CB4EC127E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161877Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:35.315{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DCB48F3D39C5DE40B9D0A65882FC6473,SHA256=7DCFCA3B457F4C2AA90D8EA734C58ABBBF8A8A6644087EBD05774FF97DB09221,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161883Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:36.924{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161882Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:36.924{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161881Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:36.924{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000161880Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:33.893{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52184-false10.0.1.12-8000- 23542300x8000000000000000161879Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:36.565{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A753A24CC942A88B002281A555E3049D,SHA256=4D72E4ABCDCD3A86A64F80AAF79E33C20EAB90DB2A1FEB8B7F60BE4509ED1DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215619Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:36.922{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4409D931B2556659F3831FB58EFC5CDD,SHA256=A75181BB39489E51A5515739BCC37C917C15B90400B73B8CE0745DF6950F2335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215618Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:36.191{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF6DB7F1594BF66BD2860B81477AE9C,SHA256=8EC667F5DEC8A43E012434F8EF82C7B3A4F41EE7BE1D5AAF7261A16D94CD279F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161884Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:37.565{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB73303E8AE04E97CAA7839580CC9E86,SHA256=66758A63A201FA9B3B0750329DCA79D19C464A287BEA429A5116C993FD022CB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215621Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:34.331{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64847-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215620Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:37.221{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3A83D8BC19C394116B5D56A974EA1F,SHA256=2AE30CEA692575356AEB61C3BE24FBFA829E4DA207AE0D07AC6240163BBA6C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161885Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:38.565{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C470AEA0225A6CAC2C29A4E4E844E362,SHA256=85317150C81344FD04379BB0C5BC33BA729A170C16CB2AEC3966893896D4AEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215623Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:38.863{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215622Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:38.240{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F660277B97C7635C29A44D3310F2B6,SHA256=38C112CE95A9E8E8D6EA1DB3ADD289921FBADBDE436988325868DE74E135E4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161886Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:39.565{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FCEC5DD343EFC19090E4D19A0AC2B7,SHA256=A841E59391A82BB080AD7B2A2A599375D8131DEA5D9A9137137FC6ED55F2511F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215624Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:39.245{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5DB025FBFDB02FB96D068D166C8C3E,SHA256=A2A2DA7E848CF33B0D974285F3CD95BB461D29D90EED415860E2BAB494CC3E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161887Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:40.581{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C162FEDE846C1656EC74EFB46A4E1BE4,SHA256=0C731BFE2EE4B15672558902DE5CD236D35AEA8349264E23A40A07E51EF7F9EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215626Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:37.965{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000215625Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:40.309{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597178BAF78CCB49B374878F255DB8A9,SHA256=768533FD6DECBB91A3B15B45B9517BFBBFE7B82233CA52F6E6E3824CAA63A09D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161889Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:39.691{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52185-false10.0.1.12-8000- 23542300x8000000000000000161888Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:41.581{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F86D76E3AADF55EA95CA5B0605FA4F,SHA256=46432D0A3F677D432FB0D66FD1367EB724F24ABAFA8C298026B8BD538C9D675C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215627Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:41.324{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E52F3F6C83FB6F1C14A20AF728FC303,SHA256=B7CCE058E930C953BFA6220EBB5E5C943F874D6964C0EAA216532F5E9E11464B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161890Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:42.581{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169298708B251BB3AD60E68805A13449,SHA256=ACA20730E9A8A2FE6D4D77D6F7C5829FE67B0AF5756C7E7D532A00592E899C7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215629Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:40.301{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215628Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:42.326{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8396F2AF7F708A074C614BE5DC1DDF,SHA256=2817BCC0118F7BB2DA21C00D52191CE117526ECA752E9DB40159D591B45641AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161891Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:43.581{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3564047FE0B337A441E84CC296CE36,SHA256=AEF599A576B2FAFD11C6F53113342E7B87CC37085775F32E5E206D88013F1997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215630Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:43.326{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38E400F07CF4CCCFABAC5218C2B1C95,SHA256=E8AA988B881E3EDD0E7312F15965E2C4E252E8366FA9473F2EA82BD4883EAB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161892Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:44.581{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786BA8EFA75557449C288A7F458EA3FF,SHA256=B1DEDC4AC49C5615F1CF5CB38F4A61F7C88E9DBFD4A7BAC1FD6F47C2231D9C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215631Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:44.343{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D38C1157EEEF910883378C1804656F,SHA256=523FD5BA02B55E0C265307CD73BDFBF2BA87F052282FE27F0ADFE92E909B4541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161906Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.674{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65CA9EBCE83ACC5B2362B41D474A584,SHA256=494120095B261C92A8369E1055D4A2B43F43B7A78AA8E1BF6A4DB85222AB32EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215632Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:45.363{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4652D7A62116C8293C42FE77A08074E8,SHA256=45EFCC9762138F5BF77F37670C3BDB5ACA0E11E95E3B16CB803C8242392F7DB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161905Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5605-6116-1406-00000000E801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161904Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161903Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161902Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161901Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161900Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161899Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161898Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161897Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161896Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161895Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5605-6116-1406-00000000E801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161894Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.643{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5605-6116-1406-00000000E801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161893Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:45.644{C6197713-5605-6116-1406-00000000E801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161936Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5606-6116-1606-00000000E801}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161935Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161934Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161933Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161932Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161931Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161930Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161929Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161928Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161927Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161926Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5606-6116-1606-00000000E801}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161925Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.971{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5606-6116-1606-00000000E801}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161924Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.972{C6197713-5606-6116-1606-00000000E801}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161923Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.862{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37E9E7A37EBD4A93975CB5801EAA0809,SHA256=EBC0636D665C8B8851B2B7524E06FFB248A7CCA34CA4228F0F23A22C79292475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161922Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.862{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17CAD13CC50EBFF0E479733FCF051BE4,SHA256=31AEFEDC0713001A10EFDF769C4AD4D859B50FB4938AD27D59F5DE5E53E7E87D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161921Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.737{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A3E31BDE526E9E37B1646C0C5B208C,SHA256=E28A11C03DE14D47E6DCB1837C86EF05CD546DD809B893B93E78F5CD99D0CB60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161920Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:44.706{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52186-false10.0.1.12-8000- 23542300x8000000000000000215633Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:46.378{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710FC73C7706D6A1BE9536F1479CE7F,SHA256=8628F82AF4C8AF47566EDFCC3E3A2ACA325F5211D5E30AEEFBD8382716EC401D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161919Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5606-6116-1506-00000000E801}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161918Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161917Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161916Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161915Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161914Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161913Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161912Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161911Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161910Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161909Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5606-6116-1506-00000000E801}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161908Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.315{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5606-6116-1506-00000000E801}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161907Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:46.316{C6197713-5606-6116-1506-00000000E801}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161939Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:47.971{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13B871760BC6D2193F616CF7AABAA0A,SHA256=1D0BD5769E50B171955258F2344A56E76D9A6DC35C6384CCFD6A6C9196F730E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161938Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:47.971{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37E9E7A37EBD4A93975CB5801EAA0809,SHA256=EBC0636D665C8B8851B2B7524E06FFB248A7CCA34CA4228F0F23A22C79292475,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215635Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:45.386{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215634Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:47.378{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9EC35832FD093ECB3F8517231C28D2,SHA256=F9F1041D2D001C5384EB593A45AF42F5546D408478F89A9357EF3481F2450439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161937Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:47.159{C6197713-5606-6116-1606-00000000E801}37523516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215636Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:48.409{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943BAAAB744A434287F06E124A20214D,SHA256=CACED9F739E89F51568F02D7A9935F3FBE2219D0C034CFB493E145399A6A5847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161968Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.846{C6197713-5608-6116-1806-00000000E801}33642392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161967Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5608-6116-1806-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161966Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161965Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161964Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161963Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161962Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161961Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161960Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161959Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161958Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161957Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5608-6116-1806-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161956Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.627{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5608-6116-1806-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161955Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.628{C6197713-5608-6116-1806-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161954Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.393{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161953Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.362{C6197713-5608-6116-1706-00000000E801}1776864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161952Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5608-6116-1706-00000000E801}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161951Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161950Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161949Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161948Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161947Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161946Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161945Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161944Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161943Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161942Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5608-6116-1706-00000000E801}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161941Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.127{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5608-6116-1706-00000000E801}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161940Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.129{C6197713-5608-6116-1706-00000000E801}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215637Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:49.409{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8460B50BC169596C5771B417E80D3F7B,SHA256=2F531190599E6D16CB52E3ADCB5D54F8CA7027D3C89464C6EA0D43F18CDBEF16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161998Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:48.050{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52187-false10.0.1.12-8089- 10341000x8000000000000000161997Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5609-6116-1A06-00000000E801}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161996Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161995Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161994Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161993Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161992Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161991Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161990Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161989Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161988Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161987Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5609-6116-1A06-00000000E801}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161986Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5609-6116-1A06-00000000E801}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161985Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.800{C6197713-5609-6116-1A06-00000000E801}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161984Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.315{C6197713-5609-6116-1906-00000000E801}3416784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161983Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.268{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BB9DEE4125F2030B5E516B717D142F,SHA256=DBB4F715E2CC66CB9EA544ABC95677218525526BB9E01B00A5C6FB3ECD545258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161982Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.268{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80BC5286D8C861FFE79B75D11D7AA210,SHA256=6C54143733987319003C0A7C34087CD4B69241F5697A959EBC8BFD755446D158,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161981Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5609-6116-1906-00000000E801}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161980Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161979Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161978Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161977Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161976Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161975Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161974Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161973Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161972Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161971Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5609-6116-1906-00000000E801}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161970Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.127{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5609-6116-1906-00000000E801}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161969Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.128{C6197713-5609-6116-1906-00000000E801}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215677Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.684{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F801F8D38CEF8DF59B7B5D295F9D520B,SHA256=F85C2F9AC5057D13FF796A325D13201A0F84E56309403D0F76888578E1EC90DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162000Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:50.815{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E486BD870BF847B7790CCAB4AE7B89B8,SHA256=B001B6211227A9E97A38F145D9119442A42052AA26DB1C42F181DB48EBD6E061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161999Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:50.409{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8104ADFAE7BB4B3257EA1699D33902F2,SHA256=A451FA16AC3D2E41097F37F33C43AB70052BB9C1292A61C297C268D43A98A80C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215676Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215675Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215674Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215673Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215672Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215671Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215670Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215669Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215668Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215667Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215666Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215665Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215664Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215663Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215662Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215661Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215660Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215659Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215658Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215657Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215656Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215655Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215654Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215653Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215652Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215651Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215650Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215649Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215648Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215647Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215646Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215645Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215644Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215643Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215642Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215641Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215640Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215639Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215638Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.299{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215681Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:51.867{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215680Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:51.867{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215679Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:51.867{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215678Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:51.698{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C3C3F29F9DEE1055BF69C4F829195C,SHA256=591BC2D9EEC5EE50ACAF58B7B4CB2F61BC9DB017387C9E049C0F8518C3EB0167,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162002Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:49.737{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52188-false10.0.1.12-8000- 23542300x8000000000000000162001Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:51.518{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899AD1E0E505ED62CB57FC48DBBE42AA,SHA256=B021D73EF9CEC3A81B34662E529DF150C8D3421F64700EEC96D0B367C8D160BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215683Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:50.391{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64851-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215682Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:52.713{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA103A8A7460BFA657F6C8FFFADC6872,SHA256=A1EA3A64F6061569B3AA894B0B909020E8C96803ED8FAC09B11122C5C327E1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162003Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:52.534{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5010CB749D34E17E26394E88F33FD4DE,SHA256=A9F2479DC8E22CE45AA3DF601DF7BC62EEA738FC468DF4205B4FF511BA7216BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215684Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:53.715{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2FF2D95444E8CF6C3013E0AC371DE5,SHA256=C93FF2BAC1D55AC7F5F573E95E1F2CBF861E936DAC9DCE0EB17AFED3A657CA47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162004Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:53.565{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139BC5DD7409B64D30A2A0BF686768EF,SHA256=FC935266267D7A0D5CB9075FE4724DFC6B8E49A1FC5E40E3D34A97475C2E8B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215685Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:54.748{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027DBC7FC65D94562B16995E2590DD6B,SHA256=6D3DF96DB67FD1EE6794D8E2BEFD5C9D61D0C41F81AFD11340AAEC2BBA3654C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162005Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:54.565{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C76CB1FF0D50C4B53C52711C6991BC,SHA256=F9BCB6670B8EBD72B1A538253D276B103791733AC317D761F28A4FBD7F267BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215686Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:55.766{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C46603DDAA53623AA0A8ED2CF50C5EB,SHA256=59AFC0313D26033CA4996AA16D9563A921EBAD8AA69CFFA51A34AF2C131FDD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162006Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:55.580{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED5B791325D4A3F36AAAFBEF57605A9,SHA256=A57006612B6F357D63C81E35F6071DB908A9F09ABC83C5672159D7784D3C1349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215687Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:56.781{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED44C67EFB02845F982831A9438774E2,SHA256=FD19FF5F59EA00CC2FE99024C079EA0FB1C4BE9244040857B55D3E8997B40236,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162008Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:54.925{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52189-false10.0.1.12-8000- 23542300x8000000000000000162007Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:56.583{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF50AFE3BD870FE36CF9E31FE87068D1,SHA256=3C2A9F0F112C9BA9ED7A05D9C1ED1ECCEE0FF311AF4D48745D7D50D9208684D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215688Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:57.795{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FA222FA600F20B3565487E0CCEA31A,SHA256=0E404B7F94EF54B636E049A4264438DAA806CDB1995F31553AA1990D08AEA953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162009Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:57.596{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD32D0201F99B4BE0D8E8F2E208B395,SHA256=FFE3FC63B0B7DCB8670D4762C90DA07FCCF41DA94FFB23CF868D529E21CC3093,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215690Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:56.151{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64852-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215689Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:58.796{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EC87CE793A87F7F5FBCA9F613C1132,SHA256=BD28F1BE50314BC7B71C3AE8A2ED6613BE0868D6FFD6728CB12E820BE816BCCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162010Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:58.599{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92032944ACC733C36ED318682111A71,SHA256=A6885533C74ABB80B858F4319A6682FA65A754CD5102F8EB01A5417318DF2BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215699Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:59.829{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096A2466D8CB8A790FC21996D403EF8F,SHA256=60342E92E80ACE4B5AF89403B201803E3A28264D4F4367C4CC2A48FDF9CC303A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162011Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:59.599{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A544C3E2D1BD11792A8F38760D4C7C,SHA256=EA77BD33CD499A1A7FD2E720960E6A8D0D61818742F88DDF17ECB2585D56090D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215698Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:59.766{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5613-6116-1F07-00000000E701}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215697Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215696Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215695Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215694Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215693Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:59.766{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5613-6116-1F07-00000000E701}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215692Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:59.766{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5613-6116-1F07-00000000E701}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215691Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:59.767{079FE16A-5613-6116-1F07-00000000E701}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215719Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.909{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5614-6116-2107-00000000E701}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215718Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.909{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215717Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.909{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215716Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.908{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215715Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.908{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215714Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.907{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5614-6116-2107-00000000E701}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215713Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.906{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5614-6116-2107-00000000E701}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215712Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.905{079FE16A-5614-6116-2107-00000000E701}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215711Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.887{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A609241225AFB43386B8F21801143A40,SHA256=BADE38E784ED68B01B540BC97AC2040BEB459316A9621CFBBE6C5FE9B3DCE517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162012Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:00.598{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17955363F930DE585D922A49E34BC0D,SHA256=34B2A7F7148BA5F315DD9EA00EA8145D4B7DA22BFF01178AB91A5922FD23930C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215710Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.772{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A658BA8EF4214A1C15B76082CBA503A6,SHA256=0D40DC1149ED5C424CFF54B5BB6E4D9E4B81969565C96F0B4E295A1317B2EF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215709Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.772{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5441F38B21C108611AF0037FC645422F,SHA256=0D07424A07C7F3D2DA8FC82BC73163447D9A7B5875687A3E53D1D2E3AB2F777B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215708Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.255{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5614-6116-2007-00000000E701}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215707Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.255{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215706Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.255{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215705Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.255{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215704Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.255{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215703Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.255{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5614-6116-2007-00000000E701}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215702Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.255{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5614-6116-2007-00000000E701}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215701Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.256{079FE16A-5614-6116-2007-00000000E701}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215700Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:00.092{079FE16A-5613-6116-1F07-00000000E701}66325260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215721Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:01.908{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A658BA8EF4214A1C15B76082CBA503A6,SHA256=0D40DC1149ED5C424CFF54B5BB6E4D9E4B81969565C96F0B4E295A1317B2EF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215720Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:01.908{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9D91BBDDD21F2C86F004CEFE386C00,SHA256=08FEA53A6DE4137DD515E7E6C41E7DEFA0B24C7D2FABF419A47DE4F678F5CC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162013Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:01.598{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FFE56218FD3FA17CF594D8FF05B016,SHA256=363BAF5B6330556B5E627DDEF76290F6173D9EA71C3207587212AA95F051C452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215732Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:02.938{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9717B6CDA0E5D08896290F953F2ADC43,SHA256=B2CE3FE6784A6311AF7D98F0905E777E7957F3A3402B0679D8AEF13919428394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162014Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:02.598{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25DBCF929DE77786290ED86D89B641E0,SHA256=AC3163611C2FC0A94ABB9A76892486D07748584A9333E7B8F921C22A97D9BE16,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000215731Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:23:02.570{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000215730Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:23:02.570{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b97635) 13241300x8000000000000000215729Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:23:02.570{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902d-0x3213dca2) 13241300x8000000000000000215728Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:23:02.570{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79035-0x93d844a2) 13241300x8000000000000000215727Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:23:02.570{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903d-0xf59caca2) 13241300x8000000000000000215726Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:23:02.570{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000215725Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:23:02.570{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b97635) 13241300x8000000000000000215724Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:23:02.570{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902d-0x3213dca2) 13241300x8000000000000000215723Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:23:02.570{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79035-0x93d844a2) 13241300x8000000000000000215722Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:23:02.570{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903d-0xf59caca2) 23542300x8000000000000000215741Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:03.938{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D2B27237E31579F0867B662443C48B,SHA256=9013EBF4BAE7BE1474E64158D06D867891827A3FFAC61B395A9B4339FB7298F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162016Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:03.598{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44DD8CFC5C268451B2DFBF67CDA647C,SHA256=A10D116D706381F27BEA42720E836FF8C24503D0E5B8DD8A4B89A473915B85A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215740Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:03.738{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5617-6116-2207-00000000E701}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215739Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:03.738{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215738Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:03.738{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215737Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:03.738{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215736Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:03.738{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215735Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:03.738{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5617-6116-2207-00000000E701}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215734Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:03.738{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5617-6116-2207-00000000E701}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215733Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:03.740{079FE16A-5617-6116-2207-00000000E701}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000162015Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:00.724{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52190-false10.0.1.12-8000- 23542300x8000000000000000215762Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.938{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2BA8001415A66D0F460A411AEF6556A,SHA256=947B6A4F7660EDDAE6CB240ADAB8AF8EB8D5EC04ABCF729930222921F3EC6092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162017Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:04.598{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F01FBFCCCF590CB4FD9BC640F4564A,SHA256=49140D90B6F34633B9EBD68C61D41D20399417A296F6F875B40BF39668513FC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215761Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.870{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5618-6116-2407-00000000E701}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215760Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.870{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215759Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.870{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215758Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.870{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215757Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.870{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215756Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.870{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5618-6116-2407-00000000E701}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215755Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.870{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5618-6116-2407-00000000E701}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215754Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.871{079FE16A-5618-6116-2407-00000000E701}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215753Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.723{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A5B15727453A06396E8708E7C2BA628,SHA256=F8625104139A510C48003270E878A91C74DCDCFD2397CD61D6AD998F49DE6B80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215752Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.522{079FE16A-5618-6116-2307-00000000E701}41483924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215751Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.254{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5618-6116-2307-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215750Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.254{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5618-6116-2307-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215749Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215748Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215747Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215746Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215745Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.254{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5618-6116-2307-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215744Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.256{079FE16A-5618-6116-2307-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215743Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:04.085{079FE16A-5617-6116-2207-00000000E701}65325588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000215742Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:01.178{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64853-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215775Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.939{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBBB6C5E5CE7B7CA6EC4650D62F2FB5,SHA256=63FB89A00E26772D283BC6258C291C63C94F1B10D4DE34787D0AF5453BC88AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162018Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:05.598{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC864D117B662A1F68E3836ABB11441F,SHA256=2E521FB1DD701DB3A3E2CFE015C9068092D9B8A45CA32582DF2D8AF819A53475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215774Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.886{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0663D329E7543475CA6401A3C9C73C75,SHA256=59BE6FF9277F9E17C62712D10E629911D86B748613B1200D2BBA2A2236BDCD32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215773Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.723{079FE16A-5619-6116-2507-00000000E701}7086820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215772Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.538{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5619-6116-2507-00000000E701}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215771Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.538{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215770Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.538{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215769Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.538{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215768Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.538{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215767Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.538{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5619-6116-2507-00000000E701}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215766Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.538{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5619-6116-2507-00000000E701}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215765Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:05.540{079FE16A-5619-6116-2507-00000000E701}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000215764Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:02.847{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64854-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000215763Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:02.847{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64854-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 23542300x8000000000000000215776Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:06.970{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE7F223D07C17277E763AD280D82C79,SHA256=662716B40FF06F85A252B735228E1C5DDD3AE1BBAFFDACD9FD0D5D47AE88D525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162019Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:06.598{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFB76CB7CA270E1A3B0F74B8D11D816,SHA256=E082DD3C0C95EF56DEE4BE4CD9973F67C24C38435EDFCAB0C87B7DABFF8ED9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162020Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:07.598{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B575B11C2B88AB419C25F8153B469C68,SHA256=2D4C7F8C09027324C0A1BB3FED6B45BFD8A2BE665068E26D2EDD521521396969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162022Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:08.599{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08364C0FB000709349133CA21BD384C,SHA256=CF2E649DF173BE589B706DEC5AAE62BA21B6E905F97E3DCC0A4A8FE67DC06923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215778Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:08.106{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\aborted-session-pingMD5=BF0FC49918EDEA1A41F55220343F6CEB,SHA256=D56034596C5AA004A46863FBDAC5CDEBC56BF7F96BAD5781A181CA07CF6F2FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215777Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:08.038{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC2836BE218FAED5EBAFC2D57EDDB9D,SHA256=92D65F653C5B14D2323FB738C8ECB08F3FC476D6E9425BF6E4768B0E00CA3AD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162021Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:05.912{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52191-false10.0.1.12-8000- 23542300x8000000000000000162023Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:09.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E4A42DB9163EB0835AAC1AA473526E,SHA256=543C5AA5FDCAF21EB92F5BE551AE50CE839499ADE403AC42A5F87CDB8F70FCF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215780Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:07.162{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64855-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215779Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:09.069{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706EF01AD0039DF67F5577BA03BB4C9B,SHA256=ADAE305901F4FEFF890DEE5C1518953EE300D6B55DB89B256D00FB673E224207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162024Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:10.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A61220CF2755AFBE2784410411F3C2C,SHA256=A74C888CF2F67CDE71A906C7B4C5AC2F0956E369DDAE23240615B8B1D4CC8B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215781Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:10.137{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017C6F2373DB7106EA500BCB84BC9C4F,SHA256=926578DBD9FDC5A0B24081ACE434CC29E9A603B486B3F53E84A6CF8A320407E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162025Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:11.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFC31B51D851841A444E883B46A910F,SHA256=87BCF67C96AA6FDFF21C1686F8673C7C985EBC8359979816E5798B6D59808323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215782Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:11.152{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030B8E6ABD1F650160766C9061D1DB87,SHA256=29F15062D813E0699E82DAE15DDAC77DC6906689D9BEABE4308BF55BD232464E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162026Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:12.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02297BAD0C609E608F4829C6E5B5EBA8,SHA256=0B50FD0CB609FBB2D3FEBA680F8D27FC93593E287866E334CAB703ADFD3069D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215783Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:12.167{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D365E890BAE4FC3437267CB55776C55,SHA256=51F601F50AEDD1FC2F94815A4EEFF0F237A319E9288395B7EA4CC8BB2102ABDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162028Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:13.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E800099318AA3BE52781CD1722A3BC,SHA256=BEB7F1CCC0CA5BCAB3799AC223F4EC68EF8F39E969C1C4A83D8F6128D777DF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215784Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:13.169{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CA868D5104D824FC918FA78A89AFC7,SHA256=9AA9EBCE2D31BB15F6FD7F47D11331CA8257633AD97692C6F6B760B6845F7702,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162027Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:11.677{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52192-false10.0.1.12-8000- 23542300x8000000000000000162029Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:14.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CAF8D8ADF2DE262167A3C02571EF28,SHA256=4FF9BB1D73C8D9BAAA67760ED6FA25CE22997A13CC63CC98B4E54DECDA96E074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215785Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:14.203{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213DDD4F9C9A4597A298B93D681F028A,SHA256=EEE5C67A8CAF0AD3A8584D764B0223EC5DBA59F3BF394DF59A0F19BFD129079C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162030Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:15.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17CEFCFBF86EE0273A94E3258570F88,SHA256=D05416191F80FD2B2B3CB875B164CB48DDA5715D259930B9781E8F1EBC9C9A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215786Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:15.221{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7713D134F60229564A2FEA05DB0BE960,SHA256=82BFB0114277533F9FFA1E7F91A72A6F1AA038B1C5F47ACEB5669777E379968F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162031Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:16.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84FD4B38DA04AA1326051B9656480B1,SHA256=4287738774E7AF7742F75D6D9203F11FF16E26988207A808894ED55BEFD3BF73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215788Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:16.236{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3998776A0EEC3D7CC9770204A3DDD9C4,SHA256=61295F59F5A56128E1F5BED19902FF8FE6D8976ECDF51B7327BBEEDDB6B74786,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215787Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:13.208{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64856-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000162035Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:17.973{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4DCE8A2B54BA2C2880272B031755D3C,SHA256=92284F9241480E5E6843A63C7D7F4C333EE9AB7690B59750881B0588047A2D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162034Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:17.973{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6289407EDD3A5A89CC67EFE1EFD4AA4A,SHA256=08BA8C43A965B2B864CB8D1945620515B0B6E4887C2CA84ED3F1D68D63251485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162033Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:17.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99557154053E0504A888646F14CDD1D6,SHA256=242384E5066CCC9FBD7881054622506B1D647E43D2105189DD53377A466C278F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215790Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:17.251{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B45D4A21438C8F5EA0FC4EEA29F4A1,SHA256=CCE9975035ED17DFE176495044D0F3EE8D9E2FEC2CF8CA74B2619615411A0BFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215789Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:14.413{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.9.49.23995.9.49.239.static.ttnet.com.tr58025-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 354300x8000000000000000162032Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:15.000{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.9.49.23995.9.49.239.static.ttnet.com.tr58028-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000162036Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:18.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3881584153325D24AEB1E8384E9E5A06,SHA256=12C266C963C9CF61C74AD45CE417B36F5A93F72E9E6B9173532DEA6B77D8E20B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215791Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:18.266{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B71A9D9518963128D9BCBF3AE4B731,SHA256=63B4D70769ED202EA48C847C6D40C6F14ECA77416F249D23D17D9FD7186F5B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162038Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:19.614{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EDD0A223590175B81B181955CA46B0,SHA256=642AC722B54E29CCD13D31FB454586B00F8952A3AB57F3A534086ABA2950A287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215794Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:19.964{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22C0C0D75F6B244A11595340A889E30B,SHA256=0DD5D375997F117A8E296ECE6E82508D9EC7D7A3038B14A101FD32845C165E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215793Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:19.964{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=230B508A1F623F22B61853C18398BE72,SHA256=CB39E1BA3E8F192EAE2EE7272DE2FCD7048E6B662D41A03B2247C7FE9CD4B859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215792Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:19.281{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D57F9FDAD14CE68435CC24A35D7DF0,SHA256=6B22F9303E4BAE9FAB87FDA434E6D7970ABA186296CBEA457F0EE89FDB10CBEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162037Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:16.756{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52193-false10.0.1.12-8000- 23542300x8000000000000000162039Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:20.629{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA00E2DB78E541790A22D435B9EA79F,SHA256=FA7C1C45AB1067B0826443EA1A33D9B32DD862480FE40879D1BE0425E1BC28E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215795Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:20.300{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8003A23E65079707CF43FDAE6BF86451,SHA256=930D654A8991864FCD9B1F4095E170BA879E0E1A95AEF4562A42A6EC190FECB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162040Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:21.629{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F05EBFB500B1932157D756895F28D8,SHA256=3937934FD993BEF4BA8BCCD543B02627BA375606FE4F630E80294A42E6EE9B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215796Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:21.319{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9871C638E38ABAAF060BF0E14814B3,SHA256=2C786D331055C1373E0F4B5C36A8E47DEC26C73260185F5D7C4DEE00D04775F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162041Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:22.629{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED17A1CE18CAD7C8349E1E1B28B89CC,SHA256=DD0F7C4C184E88528D172CC03E3B743CE25C586E3B5BED938678B2B5A2335B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215798Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:22.349{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C4142725F3EBBAA6B86B3923B546EC,SHA256=C64714D1DB350D7855E35AEA877F96BDC5871E09FD849F2832E9A2F7FDA1B49E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215797Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:19.242{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64857-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000162043Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:21.771{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52194-false10.0.1.12-8000- 23542300x8000000000000000162042Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:23.630{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE741C2E1AFCB5B32BEF41DDD008D6C,SHA256=76D97F708A207A55265B0D1281FF98963086450D88071BE3F5481BA1F8C50AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215799Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:23.351{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCCE3FE43E70C65CCC7E2450492F384,SHA256=BDA07CE75057FBFA72390AB1EEB8C67F0489742864E5C00BFF9976BC534E5B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162044Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:24.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C905AE9D2ED0D9634FC89FA6284032C8,SHA256=AF6D11A9240D10DAFA31F99967A198D61453A1739E75E8DEFF417366A7B5346D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215800Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:24.354{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C477ED798B0CA6A7D9F75892AC473DD7,SHA256=426566F97ACE5E1958BE0FD3CA6026C528C3A01E214EC1C95B58868AA5D8AD78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162045Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:25.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EE4FE720A00B6A70FE70820A17444C,SHA256=6CF2FC9F171BE62773F0C2B329E94CE12056CE585915D9A4D6B073296944E731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215801Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:25.374{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3D6298108EDD1C8BBC61DCCFEFFDBC,SHA256=D69DF176DE87BB34F2A85960CA143A8A10048025732843CEED12A9FE242F15BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162046Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:26.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB38C5E9989DCAD9461D4EAF699B5F54,SHA256=803C39B7F3D358950B98FDDAEF67A58C850B37C2C056C3184B3D2580B4A6267B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215802Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:26.377{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189D56230992F8BCFBABE52CA2AC857D,SHA256=5B51F2BCAC7A6E8334B83E4D06F7AE8C8D1C1394492D0FDAC0310082E74C334F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162047Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:27.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3AD2CA2B09B97507612307CC0DF0FA4,SHA256=C343329B132A1B549E6E3FBA22B7A0DD781A9B936D9026B069FCA4637F47C03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215804Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:27.391{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1806059DAD09062C5252D46D280A8A,SHA256=7219D69A7FD28D99612360F57701C47E673C98A2D9DD324FDCB1628F5DD252DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215803Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:24.298{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64858-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000162048Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:28.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A5B700FB81FBC804AAEABBCFA4FCA0,SHA256=4B2BB58A6D34AC8765A1E3E1234DAAA208CD517A738A6F57220C3B29C9A574AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215805Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:28.407{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5A1EBD44B33D6C1050FBC1FA9AECC9,SHA256=51502BBEBB12B173BCEA1EA8DBD5E767553B4E853B7812FE20A8AA256B15F052,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162050Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:27.740{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52195-false10.0.1.12-8000- 23542300x8000000000000000162049Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:29.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63765013A2416AF296A8655CBEAAE226,SHA256=6CF0647082E3A21647F694BA9803FA9A5C6F9D25D7A796699BF2A6D4A8B0848B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215806Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:29.426{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7A0EF2D3C5D54A642D28F9C44B4D10,SHA256=CC52C868395B020577738E3B1702488C1F45186A0E678A6BA27D30A87B16C30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162051Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:30.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1AFC1078412CF2B0A6A68DFAF4206FA,SHA256=00C134620615130BE739C4CE55EA7A19B4185C124FE987FAA16C1DFFD40E7C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215807Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:30.447{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD07C6A56C969E51E9A59280458EF05D,SHA256=C4E49AB2F1C8129C4F1A7B8015B78140F5287E026329DC01FA91A61CB327D771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162052Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:31.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA95848FC4D06411253E6E65A582F742,SHA256=E0F87911F758AE71C58BED4F08B2294D08DCD13DEBB6E0AABF69F2CA741EC318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215809Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:31.461{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9A7B7D510F6FAA04466B0A4559FA4E,SHA256=313C15A7A7DE0F63D63EFB16082A4CD80E53763CF63A8D102E75344575F7EA83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215808Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:29.302{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64859-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215810Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:32.476{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80032E5CA347939DA85D9C2032441592,SHA256=00FE70A43843788DC2C35A9F90393459BB6AB11733DD76FD0C9D9DB4D6D5D1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162053Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:32.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA67BB3BA72CD77249EFE4D0A3661C4D,SHA256=77FA16AA3849CB1F6E71DE7718E75150FF1ECBDB2FE92C2517450040D7C8B693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162054Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:33.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E52A196778D62A1B233A23716893C6B,SHA256=9449024E8F0C2882419C6D27D6B7CBBA9DC689B7710344A23957353FCF8D9658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215811Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:33.481{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85ED48C667EBE6B71B54C0B440C68A5E,SHA256=B611AF852AC1C8DA270925615196CC84082D80F4ED5AF97F9A5CC13362D2BFCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162056Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:32.787{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52196-false10.0.1.12-8000- 23542300x8000000000000000162055Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:34.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AA277A7778E6D52A6FAF64157A93F7,SHA256=5705562483574C9510AF285909B00EB03F3819DA4132A49DFAAAE7B5BCA86718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215812Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:34.481{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB73A9D1DEF62F0E66821D9D202E482,SHA256=EDF99103D2E60354F9E2910069AE046D3E4BD8EC519ADD4E7D4DF8E79DF00526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162058Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:35.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBF37DF5D3B8153DAF666D1A1100B5F,SHA256=CDAE88EFB75BCEEC42DD787948C399EB9914D22A3192EBE2D437B938A5C6BFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215813Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:35.496{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7BFE828E54EDA9696999B21DA9EAA6,SHA256=8E5B61EF1EEC18A6065308F5ABE9AFB3C789FB72F9F47CE6B872A6372A4128F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162057Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:35.317{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D7B39034ED912BD5A6EA67AB9CBCC861,SHA256=EA9C10B3709A8B82448EE0A665C1300DB7C93233C0458AE28A0F6CFADE504723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215815Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:36.931{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2B4ECF6290778A24A8BA52E9A9D151EA,SHA256=17E714B19DC5308351EC59426B90795D1F8FDDD5FA95B7E5F212D38B362B4A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215814Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:36.499{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBBFBEBDADA3B149A11B4FBF48697B5,SHA256=71AC3E03BB49B88C497C8ABC441BEF82A48C1D5D685377DAE6717387BC32AEF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162059Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:36.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE2BA412AC9C958131744737685F801,SHA256=9595C38BFAF2757157A62500B73EEC9225A95292C0ED14F540B01B46A5A2C75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215817Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:37.533{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BFC1C8835EE89C570F88D2FB98B31F,SHA256=23CF82C125E7452219544D125CF6DDFD6A32C62053ED72E1F1B1B7E9F7C3ADB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162060Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:37.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74D80004658D9B1DC67929F3C565A9E,SHA256=332175BCF934A091DD7BDDFCD9A47E18B36921B080484D720358537849703A17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215816Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:35.308{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64860-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000162061Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:38.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392644FEF0DA8090BB4B4EC4A874CD3C,SHA256=0EEE01B6749DB1D7553E192439C306BBCA6477781D91C67C8AD556C05F579917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215819Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:38.882{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215818Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:38.551{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A1588F80374FBFAA6C5A7DC5641C07,SHA256=FD0A0CEFF374DB1B79357359C8D8C4BE85569EFCCF71F56E7E027B820311AD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162062Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:39.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E04F8ABBE000D85B61B415C9BE1D0F8,SHA256=51AA81E57B292AD18D1FE72431EA58527FBD68C09AB4B73CDF5916B7BC02D2EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215820Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:39.566{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12834AE3677369FB28361F328DC84E1E,SHA256=D9BF23030B83FBF514B6029689A8EA0784E2EF534AAC6DA96965986C1949638E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215822Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:37.990{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64861-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000215821Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:40.583{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09AEE2FCC714A45883082759642412DE,SHA256=358A3B445C0A3AE9B500F6A74871A5A89711FF2A74D7A82C607BBD3F6CCB8C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162063Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:40.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0288828EE9B429D4A79EFCC7E9178C68,SHA256=8677E6BC27CA67AAE310ECB01DDCA0C2FC3727D6C964A141D52FBFB0A2E49E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215823Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:41.598{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4261D89BA120963BCBEB59AB84A343,SHA256=C706C6D97DD3266396C6AAC47CAABED263832860A5EF8B202DA2EF482216337D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162065Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:38.835{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52197-false10.0.1.12-8000- 23542300x8000000000000000162064Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:41.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389F3F2D15B5FD2AC7766BA6B6F4658E,SHA256=D3E49DF0FD0A80DC703E0D42FCADE72BBB1008D03C9890494204C9C69E9CAAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162066Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:42.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0298FA91899D584CA52766F701502128,SHA256=73ED6B9447A21B6E3AB5002DE86278064CA1143EEB34988A14AA74CF06669915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215824Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:42.616{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5049B06F51C8F005A682BFF28B0DE92B,SHA256=E100E1625E787A51464E4606E4DE23BD93B890029184BF0BCFA3AA0EAF06DC53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215826Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:41.259{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64862-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215825Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:43.617{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933BAC90BC51BC2E9501BA1FD635CB20,SHA256=84F5145291AF023F2A2E924F0A21F83CB9E8CE7E421954116E028CE55140DBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162067Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:43.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE57634F9E3E43C1F3CE6B2B2EE9A7A,SHA256=2941A16336FBB61F6C2A42ADDA5A5FA98C9042B0190D353CC0B2E8D4DABC8364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215827Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:44.633{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678E3110E90A48B4E6929590B56922CC,SHA256=87F1F61F2CEA716C3391E8193FAC938C72207273813C53F4A9D9E169290462C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162068Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:44.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF391594AAF5F5C6B168CC51BC19AA9,SHA256=CEE3FD7A52EF0E0827954E4DB57E4462EF63CA712445E1EB853866B47AC076B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215828Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:45.648{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BE90EDEFB74F5D1328906018F88CDC,SHA256=406C66C6568580B326424D06C5637571290104508E0CC3E5D930B1FDFDAB3B02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162082Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5641-6116-1B06-00000000E801}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162081Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162080Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162079Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162078Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162077Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A044C028CF038C237E06836D3289909,SHA256=1D9DCC8346EA533318C1065E59821C48A1EC95768A40AAF46935DD24E53BD84B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162076Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162075Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162074Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162073Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162072Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162071Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5641-6116-1B06-00000000E801}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162070Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.645{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5641-6116-1B06-00000000E801}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162069Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:45.646{C6197713-5641-6116-1B06-00000000E801}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215829Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:46.663{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4FE2BEBC6751EF141A35092AEE1F67,SHA256=79F0137CD15F663F2354D2B388716F8A2273D18A35D8EF54BC8BDF8136DBD115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162113Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.973{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BA3E3717E3225FC14259B33A9D8D8E,SHA256=98B21888086CEA15B4E15857B08F7E4462E07AF56F12060ECBC663B74D9ED299,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162112Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:44.756{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52198-false10.0.1.12-8000- 10341000x8000000000000000162111Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5642-6116-1D06-00000000E801}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162110Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162109Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162108Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162107Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162106Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162105Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162104Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162103Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162102Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162101Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5642-6116-1D06-00000000E801}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162100Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.817{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5642-6116-1D06-00000000E801}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162099Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.818{C6197713-5642-6116-1D06-00000000E801}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162098Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A0C74FD7D00B2CBE578EE34BEF26902,SHA256=B0270C51AA23C42AD2A7D0E608FF65668A2B17FD481E861F994698ACE2F7F0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162097Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4DCE8A2B54BA2C2880272B031755D3C,SHA256=92284F9241480E5E6843A63C7D7F4C333EE9AB7690B59750881B0588047A2D08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162096Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.520{C6197713-5642-6116-1C06-00000000E801}19562936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162095Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5642-6116-1C06-00000000E801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162094Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162093Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162092Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162091Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162090Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162089Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162088Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162087Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162086Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162085Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5642-6116-1C06-00000000E801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162084Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.317{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5642-6116-1C06-00000000E801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162083Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:46.318{C6197713-5642-6116-1C06-00000000E801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162114Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:47.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C3A7F7A7678EC324066DA362BEA2D3,SHA256=EC34A6B7F355AB253A120EF0F3D0F97405B669D3F6351E9AD2BE257753DDCAE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215830Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:47.694{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AB440A0336AE7EDFDC291BD67F47EB,SHA256=5E90A8EDF8562E83F8DB41177560BE1C5B5987A52E6A8283B71FD2D055C1B9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215832Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:48.712{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C75AE8A4986038E1B270A4E3575122B,SHA256=55967D663EF47CD29B347A899EB8F164DB27D72C47F2CE403D0D8ED47F90D19A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162145Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.895{C6197713-5644-6116-1F06-00000000E801}28442740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162144Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5644-6116-1F06-00000000E801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162143Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162142Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162141Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162140Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162139Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162138Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162137Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162136Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162135Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162134Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5644-6116-1F06-00000000E801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162133Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.754{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5644-6116-1F06-00000000E801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162132Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.756{C6197713-5644-6116-1F06-00000000E801}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162131Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.645{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44EA1F16E55D71781BD6D4B795F3746,SHA256=6D0D9E5DDF35813E91C79C49338ADC53353358A7822027BDFA83565879CAF982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162130Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.410{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162129Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.270{C6197713-5644-6116-1E06-00000000E801}36163728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162128Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5644-6116-1E06-00000000E801}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162127Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162126Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162125Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162124Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162123Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162122Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162121Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162120Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162119Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162118Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5644-6116-1E06-00000000E801}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162117Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.114{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5644-6116-1E06-00000000E801}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162116Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.115{C6197713-5644-6116-1E06-00000000E801}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162115Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.051{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A0C74FD7D00B2CBE578EE34BEF26902,SHA256=B0270C51AA23C42AD2A7D0E608FF65668A2B17FD481E861F994698ACE2F7F0E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215831Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:46.371{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64863-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215833Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:49.729{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3563278CBA23912C3B058010CCC382,SHA256=DF78C1086F2BE9043C4C74C48B641E7C42CDECC5F0AFC3A9158EC0FD8CC13F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162161Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.739{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9415053E2655C9E6C5045FA0530C0F3F,SHA256=90D3A322C5392FEEAAD03661F4C47C31AE32724B7880F276AA0A2119E6407A2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162160Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.536{C6197713-5645-6116-2006-00000000E801}2452388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162159Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5645-6116-2006-00000000E801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162158Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162157Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5645-6116-2006-00000000E801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162156Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162155Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162154Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162153Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162152Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5645-6116-2006-00000000E801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162151Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162150Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162149Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162148Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.379{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162147Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.380{C6197713-5645-6116-2006-00000000E801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162146Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:49.114{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10422ABFAE895167DAB06A99E8AF0E0A,SHA256=BE367E31AAA4B7EB65018BCC7F2F0ECFC8CEBCEE69E4DF5100F2B2363F520F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215834Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:50.759{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B97341B5A35F55A5D0FE147E8990A9,SHA256=C8149E49196F4E0549B90BBA2F4881D85D36C817A3F633B9BD031A933E496DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162177Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.926{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A939575630C0B0C91906319EDB8A0887,SHA256=FBACD3A462CEBECB30841671C78261D618E4A3BA91892120CD163BEC83AB6D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162176Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.379{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3667520FBB43808BCD77BEDCC5A62EAD,SHA256=8DD60843DF065153BD05512655F3B22F5DC15D2260AD81F655E1A8AB721314FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162175Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:48.069{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52199-false10.0.1.12-8089- 10341000x8000000000000000162174Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5646-6116-2106-00000000E801}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162173Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162172Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162171Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162170Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162169Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162168Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162167Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162166Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162165Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162164Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5646-6116-2106-00000000E801}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162163Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.051{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5646-6116-2106-00000000E801}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162162Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.052{C6197713-5646-6116-2106-00000000E801}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162178Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:51.926{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123F6F0D3E03F8ACC50E5A432A46DC3C,SHA256=3587DB272BF45471CD26DA38432D3AC62EFBEF63EAC1B05837C9A69AACF2A9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215835Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:51.774{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CB079DB56FCECE71937342E70F9225,SHA256=FCE9708C8A40D9A37651763E1649238CE272A45BBEDC11FAFFD8372F352A914E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162179Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:52.926{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D816B0E7DB0D22528EC14189E386AC,SHA256=3EF357B6EE9D9852387EF0B7B7B5F10950A411F14D683BD385979864F47EFF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215839Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:52.789{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E958CA607C70DF2E231C331EC2CD994E,SHA256=EF4894D99128FB9D578B6F20E8665A7C23CA8E4B79E29018525FEC5906FD8A4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215838Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:52.627{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215837Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:52.611{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215836Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:52.611{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162181Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:53.942{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3BFAD3D967103216E9706C6133DAE2,SHA256=60D7530022EC8D5127D157BFD79F4E221F0A8143E76BA9BA9FB6EB93A0779134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215840Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:53.789{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A568E4E51EFFCA381A7EEAC840063A2B,SHA256=4FB510FF6568A04501A417DD839BFF77A0BAEA84B5983BAF0D946BF170CD33DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162180Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:50.741{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52200-false10.0.1.12-8000- 23542300x8000000000000000162182Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:54.973{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338F3CAFD6CF20B83730F286C67BEB87,SHA256=AC5983875D42197E921177465B5BEDFDB2BF5F48F0437766858B1154C8FCA9C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215844Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:51.852{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-414.attackrange.local64864-false40.77.226.250-443https 354300x8000000000000000215843Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:51.830{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local50929- 354300x8000000000000000215842Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:51.829{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53547- 23542300x8000000000000000215841Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:54.806{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3703E40E189C893F69F8EDF3BD57DA74,SHA256=1E2CDE98A200EB86DD6414907C3ABBBE77B83A964407EBDA2C2CEE5DC3C6921F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215846Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:55.856{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9894D0E58BFD0EBC3F484C9909BB8074,SHA256=8EEB917096DE34B6B33DF9FD1059EADF27F8B231F6C236B21E1FB9B595A6EFBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215845Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:52.232{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64865-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215847Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:56.870{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F203908DB4411DA3417B0E70FBE92D2,SHA256=58AD40C32F1FBC8C6BB1FC4853E59C56820D363A75CAE9918CF6A3F4F460DFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162183Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:56.020{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE48A331DDEF6294BDFFAECA9F407F5,SHA256=C6AE00611F966472ED89E210C7D9872A52B6B85788631FEAFD7F80A300C5669B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215848Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:57.885{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CAD578572DF53DCEDD89572A5ADC95,SHA256=CB1F7337A0AD00B1F6861EDBF4F1F3F4B41A7902A1A42C7158049CB9BD58D1D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162184Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:57.037{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA94AF929DE0394DB7DF99046A2F2E3,SHA256=E627A579335AE17001EE323E81893C614C0DF6EE5ECFDAEBF67D9CB8A0CA3E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215849Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:58.885{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0B67E8FC8F385ECD91D2D7538E5597,SHA256=14CF7CB6013EA899200538EAB9541D8563D18FEEBA70D5CEDD1783C7B490FEF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162185Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:58.070{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B9657F88E75F0FE63659ED506F4F2D,SHA256=D1BC0409BD1BCE9D60B15BCDF2B23524E7CA12406ADBB10E0A6AC55A2070E50E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215865Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:57.346{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64866-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215864Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.954{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA6D167C38C38DFED6282257FEC59CB,SHA256=E74023FCEC872E73BC0A0E15AEBB51EE8650168B10D3003F9934665F47D21E3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162187Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:55.850{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52201-false10.0.1.12-8000- 23542300x8000000000000000162186Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:23:59.087{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B197D0FF112FE1A77CBF68E8CCCE8650,SHA256=F12220BF1CD7364AB27D760BA69A7D2B53787725AAF58CD5A063D7AF21657283,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215863Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.770{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-564F-6116-2607-00000000E701}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215862Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.770{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215861Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.770{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215860Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.770{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215859Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.770{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215858Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.770{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-564F-6116-2607-00000000E701}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215857Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.770{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-564F-6116-2607-00000000E701}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215856Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.771{079FE16A-564F-6116-2607-00000000E701}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215855Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.208{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=DE6312EFA9CD6D5350C92C84D0AFD5AF,SHA256=7A3974BCF90871503831ADE71A1A6F8450690185859C89B89F5277A8588B1DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215854Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.208{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=195877E67617FE80B4096548775FA517,SHA256=978274FA699DAB255B5D9FC54BA63E6BFC83761DE6F91C6661D8E2ECC1978370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215853Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.208{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D9040E4F8ED5249B9C204EB5AD571681,SHA256=C9C5889EA46B9754B43A3B24C983B6432769D378022D58438C0BE8580184ACB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215852Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.207{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=030C9C05041F2F347FD8EAD7FBD8FC46,SHA256=051EB5020A2AB71F345100339B603C4FF49BC30D9202D641F69FB2DA908CC026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215851Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.205{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8E0924A08D4DF82BB9016A0982DBAEA2,SHA256=5ED2508E4262B743B8E6FBD8754BA59AAE65301245FCB625FD24A690AD6CBC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215850Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:23:59.203{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=DC000C7C024F1302FA9755550D49C1B3,SHA256=5A9C9F8EFE59D4E6533CE7A121FB65977D8E0C31956103C1A391F13DCFA2AF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215877Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.958{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC870E91F24D1A39BCCE3A64A9775A6,SHA256=6884E087DF7ECE86943251DADD2FB85C2AF6F3DCB440F0AED7BA27B5F8FD566F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162188Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:00.134{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39307AA1B94A7EB14011A44FE6FCE0B6,SHA256=D060A7B5247B6E4F3101DF660F259E5B31A70338A5E8F902562CF04C02BAA1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215876Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.773{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FACBB5DDADF108E809E9790B2CDDD7EF,SHA256=AC07D1BE8972FBC377F0606AF8C8542EC8972BCCCBBDB8A5B25A6FF3464C8E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215875Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.773{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22C0C0D75F6B244A11595340A889E30B,SHA256=0DD5D375997F117A8E296ECE6E82508D9EC7D7A3038B14A101FD32845C165E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215874Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.439{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5650-6116-2707-00000000E701}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215873Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.439{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215872Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.439{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215871Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.439{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215870Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.439{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215869Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.439{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5650-6116-2707-00000000E701}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215868Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.439{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5650-6116-2707-00000000E701}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215867Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.440{079FE16A-5650-6116-2707-00000000E701}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215866Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:00.070{079FE16A-564F-6116-2607-00000000E701}71126888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162189Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:01.165{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECF02EB20CC20C58ADEB1AB475D4C19,SHA256=A62519F2E50A6DAE826610ED2DD0D75D009A5FFDD7CB99CFE34235360D289FB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215885Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:01.111{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5651-6116-2807-00000000E701}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215884Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:01.109{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215883Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:01.109{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215882Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:01.109{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215881Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:01.108{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215880Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:01.108{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5651-6116-2807-00000000E701}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215879Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:01.107{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5651-6116-2807-00000000E701}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215878Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:01.106{079FE16A-5651-6116-2807-00000000E701}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162190Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:02.165{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D83B2C099EBD48F137730AD41B63C7,SHA256=887533CEFEACCE74E06CE70A374BA0DE8BF06C6DF84E84E8800E527E06CA9E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215887Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:02.120{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FACBB5DDADF108E809E9790B2CDDD7EF,SHA256=AC07D1BE8972FBC377F0606AF8C8542EC8972BCCCBBDB8A5B25A6FF3464C8E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215886Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:02.020{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007A08F92FA7266B83EE5F015C99B3A1,SHA256=003E273F789D3EBCC204EF4D698A75DE74E0598B5D09452A73D9B2DDE4E12B7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162192Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:00.886{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52202-false10.0.1.12-8000- 23542300x8000000000000000162191Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:03.165{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7E5DA07FCD9E890F63B691069EE337,SHA256=C734763EB08D924BB587A493A3ADBCE302D69BD1FF180C89A25568AB1AC3F5A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215896Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:03.756{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5653-6116-2907-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215895Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215894Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:03.753{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5653-6116-2907-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215893Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215892Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215891Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215890Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:03.752{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5653-6116-2907-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215889Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:03.751{079FE16A-5653-6116-2907-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215888Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:03.035{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20736C5B83EB70D85941219497119638,SHA256=E64DADABC0437805BF085D2710085AD9C9D35BD1170BC897BC4FA29278164D40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162193Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:04.165{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291B58BAD7F71E55FC298110AF3C8979,SHA256=CD0CEA437D13FDA0B72A803B0FF8AEC1C72BC5216181BD33150BCB3CD132BB3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215908Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.756{079FE16A-5654-6116-2A07-00000000E701}71245024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215907Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.735{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17E45AE577C83B9AFFC451F6BF43257C,SHA256=1808CB9A7E8F26FE3F3AB5A9604C8013849E25B20A6CBFD6CBD6C43A46D88FAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215906Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.435{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5654-6116-2A07-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215905Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.435{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215904Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.435{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215903Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.435{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215902Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.435{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215901Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.435{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5654-6116-2A07-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215900Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.435{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5654-6116-2A07-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215899Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.436{079FE16A-5654-6116-2A07-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215898Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.035{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFDF69BB3809E3B9C30B6C761A1EF13,SHA256=A3B5D3E3A05C6074827465B685652ED349CBCB114569B123CFFC30B2C1DAD83A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215897Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:04.004{079FE16A-5653-6116-2907-00000000E701}63406448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000162195Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:03.432{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse118.69.82.69-57719-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000162194Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:05.165{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B7880A185A56AEFA0814F3816137B6,SHA256=68B8F346AD9061797F6F3F868B006FB451352518B001E5BB9700C840173042B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215930Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:03.228{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64868-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000215929Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:02.873{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse118.69.82.69-57715-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 10341000x8000000000000000215928Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.772{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5655-6116-2C07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215927Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.772{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215926Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.772{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215925Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.772{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215924Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.772{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215923Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.772{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5655-6116-2C07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215922Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.772{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5655-6116-2C07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215921Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.774{079FE16A-5655-6116-2C07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215920Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.357{079FE16A-5655-6116-2B07-00000000E701}53606532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000215919Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:02.859{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64867-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000215918Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:02.859{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64867-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000215917Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.103{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5655-6116-2B07-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215916Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.103{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215915Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.103{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215914Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.103{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215913Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.103{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5655-6116-2B07-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215912Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.103{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215911Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.103{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5655-6116-2B07-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215910Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.105{079FE16A-5655-6116-2B07-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215909Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:05.057{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FE4227FF7307CC9899D8133B54B104,SHA256=C6CE54CABD37B9F780E554AED0A6B0DCEB91E29D8F59F1E198CCB698523A3A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162196Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:06.165{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839BD183ADA1C549A199F61CDE0AD96B,SHA256=74432DC9E502C8324430F5BAF197CB35CC9F6403F8E21C1CAA521FD8BFAB349A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215932Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:06.104{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3B05D33C76393C74BC0462D8A3ADE68,SHA256=492409E2D5A6119979D91FBA9D130F530DC6FDC346B4B9927002D70F8D8E36D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215931Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:06.073{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2468C9C2395FC0CC6C6D55291D81754,SHA256=F297728A125761322280D839C361CFEB639F993FEF9D685445F7CABC27213556,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215952Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.874{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+c2ef3b|C:\Program Files\Mozilla Firefox\xul.dll+c27d22|C:\Program Files\Mozilla Firefox\xul.dll+c2d360|C:\Program Files\Mozilla Firefox\xul.dll+c2daa1|C:\Program Files\Mozilla Firefox\xul.dll+3b9a11|C:\Program Files\Mozilla Firefox\xul.dll+c2e859|C:\Program Files\Mozilla Firefox\xul.dll+c318d2|C:\Program Files\Mozilla Firefox\xul.dll+c2e276|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+c31348|C:\Program Files\Mozilla Firefox\xul.dll+c316ad 10341000x8000000000000000215951Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.874{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+27a80d8|C:\Program Files\Mozilla Firefox\xul.dll+27994dc|C:\Program Files\Mozilla Firefox\xul.dll+c28d81|C:\Program Files\Mozilla Firefox\xul.dll+27905ad|C:\Program Files\Mozilla Firefox\xul.dll+c30156|C:\Program Files\Mozilla Firefox\xul.dll+c2924b|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+279181e|C:\Program Files\Mozilla Firefox\xul.dll+27915b4|C:\Program Files\Mozilla Firefox\xul.dll+c313b2|C:\Program Files\Mozilla Firefox\xul.dll+c2b0c9 10341000x8000000000000000215950Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.874{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+c2f570|C:\Program Files\Mozilla Firefox\xul.dll+27a54bb|C:\Program Files\Mozilla Firefox\xul.dll+2798666|C:\Program Files\Mozilla Firefox\xul.dll+c289fa|C:\Program Files\Mozilla Firefox\xul.dll+27905ad|C:\Program Files\Mozilla Firefox\xul.dll+c30156|C:\Program Files\Mozilla Firefox\xul.dll+c2924b|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+279181e|C:\Program Files\Mozilla Firefox\xul.dll+27915b4|C:\Program Files\Mozilla Firefox\xul.dll+c313b2 10341000x8000000000000000215949Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.874{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+c2ef3b|C:\Program Files\Mozilla Firefox\xul.dll+c27d22|C:\Program Files\Mozilla Firefox\xul.dll+c2d360|C:\Program Files\Mozilla Firefox\xul.dll+c2daa1|C:\Program Files\Mozilla Firefox\xul.dll+3b9a11|C:\Program Files\Mozilla Firefox\xul.dll+c2e859|C:\Program Files\Mozilla Firefox\xul.dll+c318d2|C:\Program Files\Mozilla Firefox\xul.dll+c2e276|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+c31348|C:\Program Files\Mozilla Firefox\xul.dll+c316ad 10341000x8000000000000000215948Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.874{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83cb2|C:\Program Files\Mozilla Firefox\xul.dll+b9d6c3|C:\Program Files\Mozilla Firefox\xul.dll+b9d349|C:\Program Files\Mozilla Firefox\xul.dll+b9db8c|C:\Program Files\Mozilla Firefox\xul.dll+f90a02|C:\Program Files\Mozilla Firefox\xul.dll+1a5ddf4|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f|C:\Program Files\Mozilla Firefox\xul.dll+ecdf1b|C:\Program Files\Mozilla Firefox\xul.dll+ecda52|C:\Program Files\Mozilla Firefox\xul.dll+2bef52|C:\Program Files\Mozilla Firefox\xul.dll+1af0fdb|C:\Program Files\Mozilla Firefox\xul.dll+f31cc0|C:\Program Files\Mozilla Firefox\xul.dll+f31b35|C:\Program Files\Mozilla Firefox\xul.dll+f31687|C:\Program Files\Mozilla Firefox\xul.dll+f3116e 10341000x8000000000000000215947Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.874{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83cb2|C:\Program Files\Mozilla Firefox\xul.dll+b9d6c3|C:\Program Files\Mozilla Firefox\xul.dll+b9d349|C:\Program Files\Mozilla Firefox\xul.dll+b9db8c|C:\Program Files\Mozilla Firefox\xul.dll+f90a02|C:\Program Files\Mozilla Firefox\xul.dll+1a5ddf4|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f|C:\Program Files\Mozilla Firefox\xul.dll+ecdf1b|C:\Program Files\Mozilla Firefox\xul.dll+ecda52|C:\Program Files\Mozilla Firefox\xul.dll+2bef52|C:\Program Files\Mozilla Firefox\xul.dll+1af0fdb|C:\Program Files\Mozilla Firefox\xul.dll+f31cc0|C:\Program Files\Mozilla Firefox\xul.dll+f31b35|C:\Program Files\Mozilla Firefox\xul.dll+f31687|C:\Program Files\Mozilla Firefox\xul.dll+f3116e 10341000x8000000000000000215946Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.874{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83cb2|C:\Program Files\Mozilla Firefox\xul.dll+b9d6c3|C:\Program Files\Mozilla Firefox\xul.dll+b9d349|C:\Program Files\Mozilla Firefox\xul.dll+b9db8c|C:\Program Files\Mozilla Firefox\xul.dll+f90a02|C:\Program Files\Mozilla Firefox\xul.dll+1a5ddf4|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f|C:\Program Files\Mozilla Firefox\xul.dll+ecdf1b|C:\Program Files\Mozilla Firefox\xul.dll+ecda52|C:\Program Files\Mozilla Firefox\xul.dll+2bef52|C:\Program Files\Mozilla Firefox\xul.dll+1af0fdb|C:\Program Files\Mozilla Firefox\xul.dll+f31cc0|C:\Program Files\Mozilla Firefox\xul.dll+f31b35|C:\Program Files\Mozilla Firefox\xul.dll+f31687|C:\Program Files\Mozilla Firefox\xul.dll+f3116e 10341000x8000000000000000215945Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.874{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83cb2|C:\Program Files\Mozilla Firefox\xul.dll+b9d6c3|C:\Program Files\Mozilla Firefox\xul.dll+b9d349|C:\Program Files\Mozilla Firefox\xul.dll+b9db8c|C:\Program Files\Mozilla Firefox\xul.dll+f90a02|C:\Program Files\Mozilla Firefox\xul.dll+1a5ddf4|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f|C:\Program Files\Mozilla Firefox\xul.dll+ecdf1b|C:\Program Files\Mozilla Firefox\xul.dll+ecda52|C:\Program Files\Mozilla Firefox\xul.dll+2bef52|C:\Program Files\Mozilla Firefox\xul.dll+1af0fdb|C:\Program Files\Mozilla Firefox\xul.dll+f31cc0|C:\Program Files\Mozilla Firefox\xul.dll+f31b35|C:\Program Files\Mozilla Firefox\xul.dll+f31687|C:\Program Files\Mozilla Firefox\xul.dll+f3116e 10341000x8000000000000000215944Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.874{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83cb2|C:\Program Files\Mozilla Firefox\xul.dll+b9d6c3|C:\Program Files\Mozilla Firefox\xul.dll+b9d349|C:\Program Files\Mozilla Firefox\xul.dll+b9db8c|C:\Program Files\Mozilla Firefox\xul.dll+f90a02|C:\Program Files\Mozilla Firefox\xul.dll+1a5ddf4|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f|C:\Program Files\Mozilla Firefox\xul.dll+ecdf1b|C:\Program Files\Mozilla Firefox\xul.dll+ecda52|C:\Program Files\Mozilla Firefox\xul.dll+2bef52|C:\Program Files\Mozilla Firefox\xul.dll+1af0fdb|C:\Program Files\Mozilla Firefox\xul.dll+f31cc0|C:\Program Files\Mozilla Firefox\xul.dll+f31b35|C:\Program Files\Mozilla Firefox\xul.dll+f31687|C:\Program Files\Mozilla Firefox\xul.dll+f3116e 10341000x8000000000000000215943Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.858{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b864c8|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c|C:\Program Files\Mozilla Firefox\xul.dll+a105df|C:\Program Files\Mozilla Firefox\xul.dll+263fe|C:\Program Files\Mozilla Firefox\xul.dll+1a2a18|C:\Program Files\Mozilla Firefox\xul.dll+1a18cf|C:\Program Files\Mozilla Firefox\xul.dll+41db8da|C:\Program Files\Mozilla Firefox\xul.dll+424765d|C:\Program Files\Mozilla Firefox\xul.dll+42482d3|C:\Program Files\Mozilla Firefox\xul.dll+1eeddc3|C:\Program Files\Mozilla Firefox\firefox.exe+5c0d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215942Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.858{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b864c8|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c|C:\Program Files\Mozilla Firefox\xul.dll+a105df|C:\Program Files\Mozilla Firefox\xul.dll+263fe|C:\Program Files\Mozilla Firefox\xul.dll+1a2a18|C:\Program Files\Mozilla Firefox\xul.dll+1a18cf|C:\Program Files\Mozilla Firefox\xul.dll+41db8da|C:\Program Files\Mozilla Firefox\xul.dll+424765d|C:\Program Files\Mozilla Firefox\xul.dll+42482d3|C:\Program Files\Mozilla Firefox\xul.dll+1eeddc3|C:\Program Files\Mozilla Firefox\firefox.exe+5c0d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215941Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.858{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b864c8|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c|C:\Program Files\Mozilla Firefox\xul.dll+a105df|C:\Program Files\Mozilla Firefox\xul.dll+263fe|C:\Program Files\Mozilla Firefox\xul.dll+1a2a18|C:\Program Files\Mozilla Firefox\xul.dll+1a18cf|C:\Program Files\Mozilla Firefox\xul.dll+41db8da|C:\Program Files\Mozilla Firefox\xul.dll+424765d|C:\Program Files\Mozilla Firefox\xul.dll+42482d3|C:\Program Files\Mozilla Firefox\xul.dll+1eeddc3|C:\Program Files\Mozilla Firefox\firefox.exe+5c0d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215940Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.858{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b864c8|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c|C:\Program Files\Mozilla Firefox\xul.dll+a105df|C:\Program Files\Mozilla Firefox\xul.dll+263fe|C:\Program Files\Mozilla Firefox\xul.dll+1a2a18|C:\Program Files\Mozilla Firefox\xul.dll+1a18cf|C:\Program Files\Mozilla Firefox\xul.dll+41db8da|C:\Program Files\Mozilla Firefox\xul.dll+424765d|C:\Program Files\Mozilla Firefox\xul.dll+42482d3|C:\Program Files\Mozilla Firefox\xul.dll+1eeddc3|C:\Program Files\Mozilla Firefox\firefox.exe+5c0d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215939Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.858{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b864c8|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c|C:\Program Files\Mozilla Firefox\xul.dll+a105df|C:\Program Files\Mozilla Firefox\xul.dll+263fe|C:\Program Files\Mozilla Firefox\xul.dll+1a2a18|C:\Program Files\Mozilla Firefox\xul.dll+1a18cf|C:\Program Files\Mozilla Firefox\xul.dll+41db8da|C:\Program Files\Mozilla Firefox\xul.dll+424765d|C:\Program Files\Mozilla Firefox\xul.dll+42482d3|C:\Program Files\Mozilla Firefox\xul.dll+1eeddc3|C:\Program Files\Mozilla Firefox\firefox.exe+5c0d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215938Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.858{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+27a80d8|C:\Program Files\Mozilla Firefox\xul.dll+27994dc|C:\Program Files\Mozilla Firefox\xul.dll+c28d81|C:\Program Files\Mozilla Firefox\xul.dll+27905ad|C:\Program Files\Mozilla Firefox\xul.dll+c30156|C:\Program Files\Mozilla Firefox\xul.dll+c2924b|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+279181e|C:\Program Files\Mozilla Firefox\xul.dll+27915b4|C:\Program Files\Mozilla Firefox\xul.dll+c313b2|C:\Program Files\Mozilla Firefox\xul.dll+c2b0c9 10341000x8000000000000000215937Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.474{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215936Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.474{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215935Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.474{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EBB-6116-BF01-00000000E701}6036C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2e0c0|C:\Program Files\Mozilla Firefox\xul.dll+e7b1f8|C:\Program Files\Mozilla Firefox\xul.dll+e7ad39|C:\Program Files\Mozilla Firefox\xul.dll+e7c1ff|C:\Program Files\Mozilla Firefox\xul.dll+1195f56|C:\Program Files\Mozilla Firefox\xul.dll+e77b7d|C:\Program Files\Mozilla Firefox\xul.dll+e5fc20|C:\Program Files\Mozilla Firefox\xul.dll+1eea4c2|C:\Program Files\Mozilla Firefox\xul.dll+1a32ae7|C:\Program Files\Mozilla Firefox\xul.dll+1a34ce7|C:\Program Files\Mozilla Firefox\xul.dll+17a7787|C:\Program Files\Mozilla Firefox\xul.dll+1bdac6b|C:\Program Files\Mozilla Firefox\xul.dll+16e7a9e|C:\Program Files\Mozilla Firefox\xul.dll+1b7f606|C:\Program Files\Mozilla Firefox\xul.dll+17a7c2c|C:\Program Files\Mozilla Firefox\xul.dll+1bdac6b|C:\Program Files\Mozilla Firefox\xul.dll+16e7a9e|C:\Program Files\Mozilla Firefox\xul.dll+1b7f606|C:\Program Files\Mozilla Firefox\xul.dll+17a44d8|C:\Program Files\Mozilla Firefox\xul.dll+1890d2b|C:\Program Files\Mozilla Firefox\xul.dll+1abba3a|C:\Program Files\Mozilla Firefox\xul.dll+1ab7a6a 10341000x8000000000000000215934Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.437{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+a32069|C:\Program Files\Mozilla Firefox\xul.dll+a31f8a|C:\Program Files\Mozilla Firefox\xul.dll+a31b79|C:\Program Files\Mozilla Firefox\xul.dll+a2dd0f|C:\Program Files\Mozilla Firefox\xul.dll+a2e01c|C:\Program Files\Mozilla Firefox\xul.dll+b7b16a|C:\Program Files\Mozilla Firefox\xul.dll+2f5709|C:\Program Files\Mozilla Firefox\xul.dll+2f5614|C:\Program Files\Mozilla Firefox\xul.dll+2f53fd|C:\Program Files\Mozilla Firefox\xul.dll+2f5294|C:\Program Files\Mozilla Firefox\xul.dll+bcc903|C:\Program Files\Mozilla Firefox\xul.dll+bcd5d1|C:\Program Files\Mozilla Firefox\xul.dll+bcc5fd|C:\Program Files\Mozilla Firefox\xul.dll+bcc552|C:\Program Files\Mozilla Firefox\xul.dll+b9c028|C:\Program Files\Mozilla Firefox\xul.dll+1a5de25|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f 23542300x8000000000000000215933Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:07.074{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C57C3F5A256A1494BD539C977999BD,SHA256=75949B23767CCB49AA689320F06A4E747FB2C41BD6C589F09B36A54C732CA30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162197Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:07.165{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C99A019AD13A48E6D75C01750748C2E,SHA256=598D164D377FD2F523CC19D415751A7D23EC6A5B0B1C1FEB405AB17826E51A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162198Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:08.165{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996C73B8450E33314C689FA7EB11B712,SHA256=C8EDE7B136C2A7A4B67C4252891F292F3005CEACB2207020A5CC7605E2D730A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215956Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.136{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000215955Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.136{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215954Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.136{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFba7650.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215953Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.089{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7ACB2A70BA30CCC2B57635D9C296A77,SHA256=122A5D9B088B7F0C9C72CA7C550430591237D1650F69EB58468CA2A028DCD56A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162202Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:06.871{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52203-false10.0.1.12-8000- 23542300x8000000000000000162201Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:09.181{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE707229410FAA449357869B2E73A772,SHA256=1B7D45AB89CC9F160C5DE0D1A4CB0EED2030032FD2D08179AA30157788452A08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215964Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.482{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EBB-6116-BF01-00000000E701}6036C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2e0c0|C:\Program Files\Mozilla Firefox\xul.dll+e7b1f8|C:\Program Files\Mozilla Firefox\xul.dll+e7abf7|C:\Program Files\Mozilla Firefox\xul.dll+8df958|C:\Program Files\Mozilla Firefox\xul.dll+8d3a54|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c|C:\Program Files\Mozilla Firefox\xul.dll+a105df|C:\Program Files\Mozilla Firefox\xul.dll+263fe|C:\Program Files\Mozilla Firefox\xul.dll+1a2a18|C:\Program Files\Mozilla Firefox\xul.dll+1a18cf|C:\Program Files\Mozilla Firefox\xul.dll+41db8da|C:\Program Files\Mozilla Firefox\xul.dll+424765d|C:\Program Files\Mozilla Firefox\xul.dll+42482d3|C:\Program Files\Mozilla Firefox\xul.dll+1eeddc3|C:\Program Files\Mozilla Firefox\firefox.exe+5c0d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215963Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.257{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83cb2|C:\Program Files\Mozilla Firefox\xul.dll+b9d6c3|C:\Program Files\Mozilla Firefox\xul.dll+b9d349|C:\Program Files\Mozilla Firefox\xul.dll+b9db8c|C:\Program Files\Mozilla Firefox\xul.dll+f90a02|C:\Program Files\Mozilla Firefox\xul.dll+1a5ddf4|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f|C:\Program Files\Mozilla Firefox\xul.dll+ecdf1b|C:\Program Files\Mozilla Firefox\xul.dll+ecda52|C:\Program Files\Mozilla Firefox\xul.dll+2bef52|C:\Program Files\Mozilla Firefox\xul.dll+1af0fdb|C:\Program Files\Mozilla Firefox\xul.dll+f33306|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c 10341000x8000000000000000215962Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.257{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83cb2|C:\Program Files\Mozilla Firefox\xul.dll+b9d6c3|C:\Program Files\Mozilla Firefox\xul.dll+b9d349|C:\Program Files\Mozilla Firefox\xul.dll+b9db8c|C:\Program Files\Mozilla Firefox\xul.dll+f90a02|C:\Program Files\Mozilla Firefox\xul.dll+1a5ddf4|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f|C:\Program Files\Mozilla Firefox\xul.dll+ecdf1b|C:\Program Files\Mozilla Firefox\xul.dll+ecda52|C:\Program Files\Mozilla Firefox\xul.dll+2bef52|C:\Program Files\Mozilla Firefox\xul.dll+1af0fdb|C:\Program Files\Mozilla Firefox\xul.dll+f33306|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c 10341000x8000000000000000215961Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.256{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+c187e3|C:\Program Files\Mozilla Firefox\xul.dll+c17e8a|C:\Program Files\Mozilla Firefox\xul.dll+c0fb93|C:\Program Files\Mozilla Firefox\xul.dll+c19230|C:\Program Files\Mozilla Firefox\xul.dll+f90978|C:\Program Files\Mozilla Firefox\xul.dll+1a5ddf4|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f|C:\Program Files\Mozilla Firefox\xul.dll+ecdf1b|C:\Program Files\Mozilla Firefox\xul.dll+ecda52|C:\Program Files\Mozilla Firefox\xul.dll+2bef52|C:\Program Files\Mozilla Firefox\xul.dll+1af0fdb|C:\Program Files\Mozilla Firefox\xul.dll+f33306 23542300x8000000000000000215960Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.174{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A79686C398E1C9D2EC141D51ABF72783,SHA256=448F824E1D18B96FAC709487A84E88D2A82088E95C63D1085E646596C9795BEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215959Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.121{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215958Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.090{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3017C7641DE3AE6319A97B9D8F8D3B,SHA256=AA350469F108832AEC6B72CF256035221AF73D30CA92E48BFD6D37E8CAD759E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215957Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.090{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b864c8|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c|C:\Program Files\Mozilla Firefox\xul.dll+a105df|C:\Program Files\Mozilla Firefox\xul.dll+263fe|C:\Program Files\Mozilla Firefox\xul.dll+1a2a18|C:\Program Files\Mozilla Firefox\xul.dll+1a18cf|C:\Program Files\Mozilla Firefox\xul.dll+41db8da|C:\Program Files\Mozilla Firefox\xul.dll+424765d|C:\Program Files\Mozilla Firefox\xul.dll+42482d3|C:\Program Files\Mozilla Firefox\xul.dll+1eeddc3|C:\Program Files\Mozilla Firefox\firefox.exe+5c0d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162200Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:09.149{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8E0848B3883355F3F1C1BCF329B955,SHA256=12B635A6C89DB4FEF45E83DC35AA155CF7EBFB7A308448A80A9F340939B37895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162199Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:09.149{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FA6967D2E982EC514A53EDEB82E99A7,SHA256=113C3259EDA8F204D8A2592C311D1665A471F956F6086D1D0DBA36A4921CE4BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215975Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.967{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+27a80d8|C:\Program Files\Mozilla Firefox\xul.dll+27994dc|C:\Program Files\Mozilla Firefox\xul.dll+c28d81|C:\Program Files\Mozilla Firefox\xul.dll+27905ad|C:\Program Files\Mozilla Firefox\xul.dll+c30156|C:\Program Files\Mozilla Firefox\xul.dll+c2924b|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+279181e|C:\Program Files\Mozilla Firefox\xul.dll+27915b4|C:\Program Files\Mozilla Firefox\xul.dll+c313b2|C:\Program Files\Mozilla Firefox\xul.dll+c2b0c9 10341000x8000000000000000215974Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.946{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b864c8|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c|C:\Program Files\Mozilla Firefox\xul.dll+a105df|C:\Program Files\Mozilla Firefox\xul.dll+263fe|C:\Program Files\Mozilla Firefox\xul.dll+1a2a18|C:\Program Files\Mozilla Firefox\xul.dll+1a18cf|C:\Program Files\Mozilla Firefox\xul.dll+41db8da|C:\Program Files\Mozilla Firefox\xul.dll+424765d|C:\Program Files\Mozilla Firefox\xul.dll+42482d3|C:\Program Files\Mozilla Firefox\xul.dll+1eeddc3|C:\Program Files\Mozilla Firefox\firefox.exe+5c0d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215973Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.867{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+27a80d8|C:\Program Files\Mozilla Firefox\xul.dll+27994dc|C:\Program Files\Mozilla Firefox\xul.dll+c28d81|C:\Program Files\Mozilla Firefox\xul.dll+27905ad|C:\Program Files\Mozilla Firefox\xul.dll+c30156|C:\Program Files\Mozilla Firefox\xul.dll+c2924b|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+279181e|C:\Program Files\Mozilla Firefox\xul.dll+27915b4|C:\Program Files\Mozilla Firefox\xul.dll+c313b2|C:\Program Files\Mozilla Firefox\xul.dll+c2b0c9 10341000x8000000000000000215972Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.867{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+27a80d8|C:\Program Files\Mozilla Firefox\xul.dll+27994dc|C:\Program Files\Mozilla Firefox\xul.dll+c28d81|C:\Program Files\Mozilla Firefox\xul.dll+27905ad|C:\Program Files\Mozilla Firefox\xul.dll+c30156|C:\Program Files\Mozilla Firefox\xul.dll+c2924b|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+279181e|C:\Program Files\Mozilla Firefox\xul.dll+27915b4|C:\Program Files\Mozilla Firefox\xul.dll+c313b2|C:\Program Files\Mozilla Firefox\xul.dll+c2b0c9 10341000x8000000000000000215971Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.585{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215970Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.585{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000215969Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.306{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local62039- 354300x8000000000000000215968Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.304{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63640- 354300x8000000000000000215967Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.276{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64869-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215966Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.113{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5A9B79C7085F9D488F699248907008,SHA256=50CFBF104174D49CDBEC40B5E17E3A9A0EF3EB7948CAFD84D374DC284BE43870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162203Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:10.227{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B2D4A1DBBCCC0BBEC7D37942F2A7DD,SHA256=C4072505067FD1E566A03A65B6100A7E5E624E30F1D77DAB0DFC8CAA8B0B84EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215965Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.105{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83cb2|C:\Program Files\Mozilla Firefox\xul.dll+b9d6c3|C:\Program Files\Mozilla Firefox\xul.dll+b9d349|C:\Program Files\Mozilla Firefox\xul.dll+b9db8c|C:\Program Files\Mozilla Firefox\xul.dll+f90a02|C:\Program Files\Mozilla Firefox\xul.dll+1a5ddf4|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f|C:\Program Files\Mozilla Firefox\xul.dll+ecdf1b|C:\Program Files\Mozilla Firefox\xul.dll+ecda52|C:\Program Files\Mozilla Firefox\xul.dll+2bef52|C:\Program Files\Mozilla Firefox\xul.dll+1af0fdb|C:\Program Files\Mozilla Firefox\xul.dll+f33306|C:\Program Files\Mozilla Firefox\xul.dll+19e0e20|C:\Program Files\Mozilla Firefox\xul.dll+16933c1|C:\Program Files\Mozilla Firefox\xul.dll+1a0af2c 23542300x8000000000000000162204Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:11.243{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E1B065B22B6F58286E573DC34EBA0C,SHA256=D5AA2DD77EF5A4762B19A88DBDFF7587F87611B3BFE270932E4B7BBC7798262B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216001Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.859{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64662- 354300x8000000000000000216000Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.821{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-414.attackrange.local59436-false142.250.185.206fra16s52-in-f14.1e100.net443https 354300x8000000000000000215999Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.701{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-414.attackrange.local52777-false172.217.18.99zrh04s05-in-f99.1e100.net443https 354300x8000000000000000215998Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.487{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local52776- 354300x8000000000000000215997Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.487{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local50435- 354300x8000000000000000215996Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.487{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51268- 354300x8000000000000000215995Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.487{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local61555- 354300x8000000000000000215994Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.485{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local49906- 354300x8000000000000000215993Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.485{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local54008- 10341000x8000000000000000215992Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.446{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215991Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.446{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215990Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.446{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215989Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.445{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215988Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.445{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215987Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.444{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215986Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.408{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\permissions.sqlite-journalMD5=7895B566CCC91BA16F5BDD3E8EBDF3BD,SHA256=F88D3C8B1778F1DB1D8648F255E3E090B7249CBBA36DB1475D5D7EDDF2901BEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215985Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.382{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215984Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.382{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215983Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.381{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215982Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.380{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215981Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.349{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F65C2A18AA60D175D124A30E28AB33B,SHA256=434F9543CFF249E110C290407321FE272E63D33DF3CF989032E347496F19906C,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000215980Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.322{079FE16A-2EB1-6116-B301-00000000E701}4676www.google.com02a00:1450:4001:802::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000215979Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.318{079FE16A-2EB1-6116-B301-00000000E701}4676www.google.com0216.58.212.164;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000215978Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.317{079FE16A-2EB1-6116-B301-00000000E701}4676www.google.com0::ffff:216.58.212.164;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000215977Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.308{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-414.attackrange.local63641-false216.58.212.164ams15s22-in-f4.1e100.net443https 354300x8000000000000000215976Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:08.307{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51439- 23542300x8000000000000000216011Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:12.856{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\cache2\doomed\475MD5=31D8619D91C218DB7825E850B5460B6B,SHA256=72F4CCD2C675DC68F8AE382302335F149CED94077E84A0CFDCD135F26496586C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216010Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:12.817{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216009Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:12.363{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BC50C18890C7B7FE629582BDC01350,SHA256=1C39DC080572CF566931CE47B27C1EB94BB82C20CD87EFED8CDEEF935AEA80C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162205Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:12.306{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E4F87A589AB3D94DDBE63354490BE1,SHA256=1C211AFD56D7DE5E36507DA9F11C17A9361029FB531F0D10F7F53AAC19358181,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000216008Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.157{079FE16A-2EB1-6116-B301-00000000E701}4676adservice.google.de0type: 5 pagead46.l.doubleclick.net;::ffff:216.58.212.162;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000216007Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.831{079FE16A-2EB1-6116-B301-00000000E701}4676plus.l.google.com0142.250.185.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000216006Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:09.827{079FE16A-2EB1-6116-B301-00000000E701}4676apis.google.com0type: 5 plus.l.google.com;::ffff:142.250.185.206;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000216005Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.078{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-414.attackrange.local64133-false142.250.185.162fra16s51-in-f2.1e100.net443https 354300x8000000000000000216004Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.077{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local61255- 354300x8000000000000000216003Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.076{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64132- 354300x8000000000000000216002Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.074{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local62978- 10341000x8000000000000000216041Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.802{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216040Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.800{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216039Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.799{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216038Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.799{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216037Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.799{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216036Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.799{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216035Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.799{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216034Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.799{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216033Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.799{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216032Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.799{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216031Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.798{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216030Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.798{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216029Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.445{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+27a80d8|C:\Program Files\Mozilla Firefox\xul.dll+27994dc|C:\Program Files\Mozilla Firefox\xul.dll+c28d81|C:\Program Files\Mozilla Firefox\xul.dll+27905ad|C:\Program Files\Mozilla Firefox\xul.dll+c30156|C:\Program Files\Mozilla Firefox\xul.dll+c2924b|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+279181e|C:\Program Files\Mozilla Firefox\xul.dll+27915b4|C:\Program Files\Mozilla Firefox\xul.dll+c313b2|C:\Program Files\Mozilla Firefox\xul.dll+c2b0c9 10341000x8000000000000000216028Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.444{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+27a80d8|C:\Program Files\Mozilla Firefox\xul.dll+27994dc|C:\Program Files\Mozilla Firefox\xul.dll+c28d81|C:\Program Files\Mozilla Firefox\xul.dll+27905ad|C:\Program Files\Mozilla Firefox\xul.dll+c30156|C:\Program Files\Mozilla Firefox\xul.dll+c2924b|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+279181e|C:\Program Files\Mozilla Firefox\xul.dll+27915b4|C:\Program Files\Mozilla Firefox\xul.dll+c313b2|C:\Program Files\Mozilla Firefox\xul.dll+c2b0c9 10341000x8000000000000000216027Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.428{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216026Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.427{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216025Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.426{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216024Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.425{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216023Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.377{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E68D60485CC49445024D54A984EDF34,SHA256=39A03D9EB968EC126C83BF95C48992DD6CE875110B4E75BB16946912BAF05FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162206Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:13.306{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28FB8F15C9EF09917EBD1D05AFF1A62,SHA256=B4A2411723F6D182386BD74FAAEC97FA81401CB5F2669524EA0169B9A04A7FBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216022Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.355{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216021Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.329{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216020Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.329{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216019Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.327{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216018Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.327{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216017Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:13.326{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000216016Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.148{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-414.attackrange.local64497-false216.58.212.162ams15s22-in-f162.1e100.net443https 354300x8000000000000000216015Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.147{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local52047- 354300x8000000000000000216014Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.146{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local52435- 354300x8000000000000000216013Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.146{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64496- 354300x8000000000000000216012Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.145{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51995- 354300x8000000000000000216052Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:12.907{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local50105- 23542300x8000000000000000216051Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:14.687{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\permissions.sqlite-journalMD5=F102082A826A08300F18F1F37DF4FE94,SHA256=8893A8072AA48948AC4939945EA10195CAD279F79A2036B4D238037989BDB797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216050Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:14.398{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58810259F210B3AECFBD840764C35A00,SHA256=5D546958509D6037C0837020F29D4C87061C9EB1D854001AB535F7C03984AA9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162208Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:11.933{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52204-false10.0.1.12-8000- 23542300x8000000000000000162207Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:14.306{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433E4BDB67B35F690CB343483582FE50,SHA256=CAC9AAA04AAF0E1716F55B28C8A616924C125EDF45E1B05CFF77EBA42923355C,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000216049Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.965{079FE16A-2EB1-6116-B301-00000000E701}4676gstaticadssl.l.google.com02a00:1450:4001:80f::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000216048Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.963{079FE16A-2EB1-6116-B301-00000000E701}4676gstaticadssl.l.google.com0142.250.184.227;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000216047Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.954{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-414.attackrange.local63413-false142.250.184.227fra24s12-in-f3.1e100.net443https 354300x8000000000000000216046Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.952{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local50261- 354300x8000000000000000216045Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.951{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local54007- 354300x8000000000000000216044Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.941{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63412- 354300x8000000000000000216043Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:11.892{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local52242- 354300x8000000000000000216042Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:10.512{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-414.attackrange.local59438-false142.250.186.110fra24s06-in-f14.1e100.net443https 23542300x8000000000000000216053Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:15.618{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40B94C1A89CF9A348429EA5306DAD3E,SHA256=63B92AA51E5F4470756360F8A2388A4EC1C33DE6CB848145E1398FAFDC4797CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162209Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:15.352{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99A8EBF577A7E6A88C78B03AA166403,SHA256=D3D326C631AD31A74CD0D8FC8CCB863825E6D1C6F938848110C6FC70C5C25F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216055Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:16.629{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8387EBB68E6357EF2E7EC2EFBCB1F54,SHA256=228D7B88C8D59ABA1C8DF2568E019E727E8753C1809B80FA508D4F6880B3AD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162210Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:16.368{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23686B82966C0002EC23DA4633EAE32,SHA256=E99A4723C9F915476F87A2F66595A56499F66B0352BE2EF9DDAB5249E87489AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216054Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:16.050{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216069Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.637{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021439C205E713916CB2F750C38BE4B8,SHA256=4D6E428D369B94FBD84C216D32217E75ABEA1A120AAF01715E69828F43146873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162211Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:17.368{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DDA5990A405696DC3A427F14677186,SHA256=0316D1E4028947E7B2C3283DF1B9D0D0269AD6CD68E3F09CFF457A65FE069C67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216068Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.585{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216067Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.585{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216066Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.574{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216065Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.574{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216064Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.574{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216063Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.216{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+27a80d8|C:\Program Files\Mozilla Firefox\xul.dll+27994dc|C:\Program Files\Mozilla Firefox\xul.dll+c28d81|C:\Program Files\Mozilla Firefox\xul.dll+27905ad|C:\Program Files\Mozilla Firefox\xul.dll+c30156|C:\Program Files\Mozilla Firefox\xul.dll+c2924b|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+279181e|C:\Program Files\Mozilla Firefox\xul.dll+27915b4|C:\Program Files\Mozilla Firefox\xul.dll+c313b2|C:\Program Files\Mozilla Firefox\xul.dll+c2b0c9 10341000x8000000000000000216062Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.215{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+27a80d8|C:\Program Files\Mozilla Firefox\xul.dll+27994dc|C:\Program Files\Mozilla Firefox\xul.dll+c28d81|C:\Program Files\Mozilla Firefox\xul.dll+27905ad|C:\Program Files\Mozilla Firefox\xul.dll+c30156|C:\Program Files\Mozilla Firefox\xul.dll+c2924b|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c2ae68|C:\Program Files\Mozilla Firefox\xul.dll+279181e|C:\Program Files\Mozilla Firefox\xul.dll+27915b4|C:\Program Files\Mozilla Firefox\xul.dll+c313b2|C:\Program Files\Mozilla Firefox\xul.dll+c2b0c9 23542300x8000000000000000216061Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.194{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\cache2\doomed\29547MD5=FA7F29679F60242136BDF6854037C68E,SHA256=2B6BCB43A22E29115CCB54301E54E4A262FBAE2106571C332F51C73E3E029D2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216060Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.193{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216059Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.127{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216058Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.127{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000216057Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:14.165{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64870-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216056Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.013{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\permissions.sqlite-journalMD5=63F55D35FE615054CB4D4429DEBCF4BB,SHA256=B6ED26E19B7723D1BE6E85B7ED81CB92A3CDC1BED2AF94A299206E9055CFDE85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216072Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:18.677{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70B578F7133B7BEF91DFB38D279470C,SHA256=E5BAEFA8FBB8CA376DA46F0045C074642504E0A3B24E72ADE9C1ECB3C0C3A585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162212Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:18.368{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103B1A4652D0B66BC9A1EF412F70E5D2,SHA256=307C9EE0D2AA1911F3C660746588167864D724F5FCBF03ED4DBBD7D493E73EEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216071Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:16.531{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local59533- 23542300x8000000000000000216070Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:18.356{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\cache2\doomed\28735MD5=ED9367A5FE9DEC5C69DFD9FC37724DB7,SHA256=6FED1AEDC3C30FDDD232F665D4E8516CB0865526165AE4978E3D3F361F1AB821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216074Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:19.828{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92EDBEBE2EF5661562C3BDF8B3A3C6A,SHA256=89981355A85F5095BEC21643F1120B6769E0DA2A86B9556E1EB3593E40DFA492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162213Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:19.368{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA8A75A58331DC36837717261305213,SHA256=99D3A431B369E0429A9D51BCBB77EF51E8928071F5646D23C2FC60982F5354F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216073Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:16.535{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-414.attackrange.local64871-false142.250.184.234fra24s12-in-f10.1e100.net443https 23542300x8000000000000000216076Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:20.848{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DFF2514123776AE5D9137A69A47B18,SHA256=BF549EE0F7E5A6C843DD801E535977AF6A6D4D965E7D8EA57BF6657D5D09B1C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162215Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:17.855{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52205-false10.0.1.12-8000- 23542300x8000000000000000162214Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:20.415{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72329DB5EF7F3D08A6600C5855B3598,SHA256=4BD447FDF9EC0B09648A53B2F9258433C52F2D6948F0B4D8CE6ABB262F581E43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216075Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:17.941{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local62084- 23542300x8000000000000000216077Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:21.866{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F445F14CDB47D30AC4492913B40BA48E,SHA256=C73EE6F6B33F99C33289D9205DB973D15C1DB1477F65671B3DB32F1A062DF6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162216Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:21.446{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB30ECA49C5056D93AB46C0FFA39E63,SHA256=1A8DE11F369362DE0A81B3898880C31DEB6C91C672FA21CAB5FEFE4A12EBBBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216079Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:22.948{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314102FBF7C325921BCAD874434457BA,SHA256=C251C75867CCDEA0ED27C1BC28A3849814140D079C2C96C4339DB97538CF652D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162217Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:22.477{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5339E05027E282D6467583439543F35C,SHA256=7BEEB92FCD88675F53C552835B46A4613F7B67873C8E368B9B43177D675F8410,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216078Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:19.335{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64872-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216080Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:23.959{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1F72841AF2FA523074FD432CCEAA65,SHA256=AE9A29DA0823B719D2B3977C1166D12D5774B8A4ED3CB762C38071D73B02B4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162218Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:23.477{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB7026CE71A70A284C43FB712FC31AD,SHA256=067578B438610AF810F79D3615811EB0908F0BA7F2273977E7C9048C766A5336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216083Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:24.965{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E14C5F665E16B48131FF5A453413DA3,SHA256=2752613CFEDFB8B40CD7F82BB48081C1C88E8CD1967D379BBC13378E2BC570B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162219Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:24.493{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5BCB38DE308AA704E0FBDBF85E7E16,SHA256=95632BC8DC8BF76CE35C620D21C40F41B782CA4D0256415AF548D3B8A5AF95C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216082Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:24.530{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216081Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:24.530{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216084Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:25.970{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F731A6A691737B8FCFE024018FD13190,SHA256=64333B5CB65074AC6D96003D47C918F54EF0F900A90E941812ABDD67CD1168ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162221Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:23.887{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52206-false10.0.1.12-8000- 23542300x8000000000000000162220Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:25.509{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DA0EBFDABCF42E66319B91BBBB2867,SHA256=F5F83A32150657AEF222D215B75D701B48A7AD53093FF94BE955DF77AB3437B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162222Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:26.525{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82ED4CFBD1EDD8EDDCB5825D8F795EB,SHA256=D83DA7C9D118594AB4FBE69A578EC1CC2A850CA975A5DF0F515453B044165C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162223Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:27.540{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89645FF8D943132C003073C9EBFB8639,SHA256=0383431FB8F43537D76B1AD180737B9FD27597F4E30E7F1A56AEDDE26A4E3005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216085Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:27.205{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB19E9D2D1FA099EDD70F49BC3E86D6D,SHA256=DD0DB3A46B084F4B5C2C519E5D03F6419467E4132D0E0BA763807742A2A6FCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162224Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:28.571{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C424371D575B5F150BF6743A8739266A,SHA256=2959B5162B99707F1F8D509FD32864A7D45A674A663D948EF49A638B8A33E41B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216093Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:28.471{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-566C-6116-2D07-00000000E701}6780C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216092Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:28.470{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-566C-6116-2D07-00000000E701}6780C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216091Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:28.429{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-566C-6116-2D07-00000000E701}6780C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216090Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:28.392{079FE16A-284E-6116-B000-00000000E701}8523620C:\Windows\system32\csrss.exe{079FE16A-566C-6116-2D07-00000000E701}6780C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216089Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:28.310{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-566C-6116-2D07-00000000E701}6780C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216088Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:28.308{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-566C-6116-2D07-00000000E701}6780C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000216087Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:25.334{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64873-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216086Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:28.213{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B50D03686EA6D6A460AF1E94CC79BA4,SHA256=0B15614C35FE6F0A0E5B37C4A642AE7F818D6924094E34C21D15FD2CE2FFF378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162225Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:29.618{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128DED27C39DB8468A6F2B522BAE43FD,SHA256=FA3815FB71D3CADA176B993EB73CE50CB9CACECF112CE4B516D7440742BABE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216096Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:29.353{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB3B43CF9A000E9253AC5333C67EC522,SHA256=E7BB462C0E292D735D7850524987D73E24C6B03008E2F7AF32D2355565126821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216095Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:29.352{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D4BC04A2C43515FCF605E85983C9829,SHA256=039F7BC2983618DB840F0A348A9BDFD4BB0BFEDD950A3A75C5780A6489607173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216094Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:29.256{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F17ACFA94A304E36B4481018C6DC2F,SHA256=CA3BB5489C89D5003238537EF17CCC81AF14E44E04DC1464E14C036E65681CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162226Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:30.649{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1381E04E9BC90C5749C42AC67223853,SHA256=5DFE60F5931CF69C7E9FBC28F58EB99011A7457B2108BCDDE255FC9847E1E947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216097Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:30.262{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70053ABEC4285BE884E7A2076CA76920,SHA256=1A9536EA35A8D781BE7357348498B48F3064B324ADD4917F38B7AE6BBAB343A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162228Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:29.746{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52207-false10.0.1.12-8000- 23542300x8000000000000000162227Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:31.649{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDAD6A2CFB19F423E403A625D46CBCF,SHA256=CA15F04FB1B45F0D38791775DC167C44A183F8A2D6FAC82A840595FEE5CF974A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216098Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:31.361{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81E94E13AAD10F25581B0ACD7456661,SHA256=9F5BE439063EAB92D69F310793A8EDD172DBB618873C7D7C6C01EED499306CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162229Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:32.665{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B84D3A660B72D55642219069D23EE75,SHA256=AF7601428E240DBDA42C4FBB0C7758515E7D37161A56B32225BE014F4ABF04C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216099Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:32.397{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BF1A392D79C6635EC7A66B954733BE,SHA256=1EE1D1F633FCD98B0E9574FBCBE179462DBEF1971B394870DC4159D041BA1482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162230Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:33.696{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4333E9B21A20F7558AC82F17B130B5CF,SHA256=A9CF32D5D7ACFDF1ACC3D185767DAFFCE862AC32D37149F264AB66F8C77F685D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216100Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:33.400{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B812F86EE61245C9AF6DE4285CE00321,SHA256=C54E5F06F26798CA821412D98D56374914DCB689019D41D721A092B41F081E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162231Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:34.696{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3822BBF54B2216C5D7C9B8C4B5E0DF88,SHA256=18E3CF929EBB550DE2881335AD1FDD1B41EB68D2D40C8D90F9842A4DA246296E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216102Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:34.415{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EC8A7F1C9185891E336F096E745E14,SHA256=13D84FDF4A1CC4AF56A2653800BA43603A6AAD2E07873BA0B6797FA13118BAF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216101Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:31.290{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64874-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000162233Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:35.727{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F551E9582464142FC8F83858E837FD,SHA256=9718EA5B33A0E5FABE12E0BC83BF4A04876A728A3D141002C1A8324813F6B8CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216103Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:35.420{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7A96F2C9F486974E828BE497C5DDEE,SHA256=EAAF10F811297C26E116CFBFA63283628A2019C381B73BDA5A4BD9A0AE80002A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162232Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:35.321{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=82C9613D906D416E7B478DC922825382,SHA256=5AA2293F9A815DC929A5926398739486C2C7A6B8A30F31CAE495182F527F7114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162234Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:36.727{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC2B2B2F58895D32C99EF670B7BC0C3,SHA256=DF76939772DAF5E78E5F87A79AA988818C2E8EA814A54AFE1728CD8501F5E5F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216105Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:36.933{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=11F393D9221115251826258EA4F14FED,SHA256=FCAA808271619FD8FE864B1B60466799337477D112D5EBAA062270D83A70E7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216104Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:36.437{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C0C0A87D62527F23266C84B289E6D2,SHA256=70488E56BC90A6CC3F1888B3D00D7522E6F7A69F0619CBA8F90267BB7F0B4270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216106Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:37.656{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82BF046AC5D1F26BE3B3BE9555CB510,SHA256=335A456BDD32EEE6C228BDE20C7CE704430C2EEF500928EFCD040D97F4A5B959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162235Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:37.759{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB25E0C272745031D59F433A9CB579F5,SHA256=8AFF9AFC61DA934F17A804E3681F61C1061D237F494B146A0251773D32447A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216109Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:38.900{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216108Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:38.872{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C86645B71167AD9B2347A42B72591E,SHA256=D5E6A4082245E6B740F9BD394C09C1E09977A29D74827EC73E079EA63C2E5812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162237Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:38.759{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC380C5501BCEEE356A69318E4CC46A0,SHA256=0365778D46D9ABADD400329F46249EB5000A7663C889FD0A27B4CEF7A057E317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216107Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:38.487{079FE16A-26A2-6116-1400-00000000E701}10761472C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000162236Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:35.715{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52208-false10.0.1.12-8000- 23542300x8000000000000000216111Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:39.909{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439F1DC90D4FF27ED2DD39DCFF8A77B5,SHA256=F43B537B22A093C25C22397F15AA37DB91EBE7AD0E2DD67BB02F23BBE2A2A07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162238Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:39.759{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC920282667DCCA62C542328DC0D16F,SHA256=9A602453A7D17513EE596A855280E62F8364E742EB3BCB90B04E32A85E698111,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216110Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:37.138{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64875-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216113Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:40.928{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A627272A9F26A829A9A35BD3615C05,SHA256=84E07D164CEAC893962A3CAC570117787288B431B2A147D199EF79E995DD960F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162239Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:40.759{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BA9056DE8CB50850E15A7B0DA9AA72,SHA256=FD0F3215A853EDEFAE73D11FA772239F4692CC9EEC80643F0C7D2CD12ACEA204,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216112Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:38.006{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64876-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000162240Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:41.759{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F69DF4721CE43B02912A6E8899DFB80,SHA256=CF24410AC01F534E366313FAB38787C390EE1A0E8C39BAC78EBFC33FDE09D21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162242Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:42.759{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE827A25C9F6903AAE92E5CBAFF385B1,SHA256=146547BF0E18804EF546CD1377036C575B14969396255FF43B89BBBF6CA1A048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216114Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:42.139{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24835BFBB9828D47CA0783E18B22FCDE,SHA256=0B8CA6C1324F63E4C6C0B3B8C64ED7B07D20FC29D72CC8EF08BE7A0D2FECF585,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162241Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:40.840{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52209-false10.0.1.12-8000- 23542300x8000000000000000162243Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:43.759{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744434EBB7C13540C36DA7AC9C199629,SHA256=F9C2712A8B07F6CC62123161B52C44D28FC5072D265A2CE7B82B7CDB4F569B80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216116Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:40.721{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.9.49.23995.9.49.239.static.ttnet.com.tr63668-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000216115Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:43.177{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38104C8C06D86D853A975608756D9A78,SHA256=5369606D885121A28570B0516404A5361852B0B04EE34EDEAA0552152A830B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216117Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:44.183{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551EB409C7B1AEADA9EFAB0F821B0027,SHA256=637EDCDD52FB88132DE90EE0B164951D6A6597FDF6328B452C7AF9C58F08A74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162244Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:44.759{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744AA68CAB66F37B1361686D76961E94,SHA256=22125763357F2440D58BCDBF7F08FED7FFD0B4AE6AA28905F2D0988C89BADEC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162259Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.868{C6197713-567D-6116-2206-00000000E801}3140932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162258Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.759{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DCAE23EDACC594D727F5E939C27BB9,SHA256=0FFD909B3B401F194A0A042AEB7B1EC79DBDB8F00DE27DDB898800E6D48FB468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216119Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:45.396{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D28ECCD9B5F567D217A8223337F1A12,SHA256=BBBD52A94FBFD15B9358C5659534AC83248753B8E64BE65D8DD61C89FE17573E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216118Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:42.194{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64877-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000162257Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-567D-6116-2206-00000000E801}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162256Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162255Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162254Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162253Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162252Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162251Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162250Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162249Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162248Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162247Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-567D-6116-2206-00000000E801}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162246Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.649{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-567D-6116-2206-00000000E801}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162245Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:45.650{C6197713-567D-6116-2206-00000000E801}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162288Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.946{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D964E8770867114600C16E226D107EF8,SHA256=B620533C77494148161674AD5FD0AA6CC126D82786C4EE94E5FD1FD25FA11143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216120Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:46.403{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C265FC32182A20F46558D89A246B85DE,SHA256=F7C37AB2A04B9EE83B53B052EA26495ACEAC86613433EB273623450F9FED5A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162287Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.665{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE8A1B4897976A84594FDE829782EEA2,SHA256=C9EF3C1C58633062F836F5811E9D45C40CE0D024AB0E29804D11FEDCEFC380E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162286Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.665{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8E0848B3883355F3F1C1BCF329B955,SHA256=12B635A6C89DB4FEF45E83DC35AA155CF7EBFB7A308448A80A9F340939B37895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162285Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-567E-6116-2406-00000000E801}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162284Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162283Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162282Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162281Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162280Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162279Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162278Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162277Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162276Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162275Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-567E-6116-2406-00000000E801}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162274Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.649{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-567E-6116-2406-00000000E801}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162273Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.650{C6197713-567E-6116-2406-00000000E801}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000162272Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-567E-6116-2306-00000000E801}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162271Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162270Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162269Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162268Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162267Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162266Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162265Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162264Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-567E-6116-2306-00000000E801}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162263Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162262Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162261Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.149{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-567E-6116-2306-00000000E801}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162260Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.150{C6197713-567E-6116-2306-00000000E801}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216121Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:47.410{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB2A09E90AAEAADE47323FBF892BA0D,SHA256=05870E6B238724D48DC6224E905910CBEB47E83F97F4F9E11479776F4668C08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216124Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:48.634{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FACD0E7FA872909E61E9EBD8E469946E,SHA256=73C96C706B89B91935010B0B99B3FF87ABFBB2261364707E7A18F249F9726F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216123Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:48.632{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB3B43CF9A000E9253AC5333C67EC522,SHA256=E7BB462C0E292D735D7850524987D73E24C6B03008E2F7AF32D2355565126821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216122Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:48.415{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510D15153ABAED4BB7DF761D573368D3,SHA256=84A5A0BE45C8D8D51C41D84648A2F0A7EC50AA46DA10D9C08E3887C5CB499B43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162318Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:46.778{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52210-false10.0.1.12-8000- 10341000x8000000000000000162317Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5680-6116-2606-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162316Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162315Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162314Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162313Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162312Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162311Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162310Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162309Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162308Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162307Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5680-6116-2606-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162306Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5680-6116-2606-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162305Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.712{C6197713-5680-6116-2606-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000162304Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.509{C6197713-5680-6116-2506-00000000E801}32722204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162303Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.430{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162302Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5680-6116-2506-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162301Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162300Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162299Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162298Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162297Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162296Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162295Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162294Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162293Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162292Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5680-6116-2506-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162291Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.087{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5680-6116-2506-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162290Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.088{C6197713-5680-6116-2506-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162289Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.024{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB3421896D84DFAFB3571713A679607,SHA256=85623ADD79B3D28B9CF191CC7568FFD17B7D516C14FF96E415FD4FE029C5E0F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216132Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:49.420{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3695B7C29FE549864C209588CFAC6143,SHA256=3B7B25AE20DDFBC1300A4C3D9FDD927A7D17516CE32913BD50CCEEA88D544193,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162348Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5681-6116-2806-00000000E801}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162347Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162346Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162345Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162344Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162343Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162342Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162341Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162340Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162339Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162338Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5681-6116-2806-00000000E801}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162337Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5681-6116-2806-00000000E801}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162336Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.884{C6197713-5681-6116-2806-00000000E801}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000162335Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.368{C6197713-5681-6116-2706-00000000E801}14643948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162334Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.227{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B8BE709C62235107C70C0899BD0497,SHA256=E7515B989DD633B91F3DADC99373EF9BAF9A077161C747921616F7B06CB76AB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162333Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5681-6116-2706-00000000E801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162332Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162331Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162330Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162329Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162328Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162327Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162326Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162325Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162324Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162323Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5681-6116-2706-00000000E801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162322Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.212{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5681-6116-2706-00000000E801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162321Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.213{C6197713-5681-6116-2706-00000000E801}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162320Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.087{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE8A1B4897976A84594FDE829782EEA2,SHA256=C9EF3C1C58633062F836F5811E9D45C40CE0D024AB0E29804D11FEDCEFC380E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216131Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:49.040{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216130Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:49.039{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216129Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:49.039{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216128Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:49.032{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216127Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:49.032{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216126Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:49.032{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216125Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:49.032{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162319Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:49.056{C6197713-5680-6116-2606-00000000E801}32842912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216134Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:50.434{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C65F61FDF7097285A85BFC5E0D254EE,SHA256=376C324BA5DE3311151FEBC6189ECAB4E796272EFB88626A2F9BEC317E186543,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162351Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:48.091{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52211-false10.0.1.12-8089- 23542300x8000000000000000162350Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:50.368{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11D7222CFDAD5E3A8FEF6690AFB246A,SHA256=95CA5C438D7AC16AB29D46C962582E220683A9039DBB2F6576D0CFFEC89F958A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162349Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:50.368{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E67325110CC722C43BD84A117CD3E58,SHA256=D25A86F42AFB8D5A479E4583E1DCDE4E2737AE68719A2519D1993E48DE2A7FFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216133Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:47.375{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64878-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000216185Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.982{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1000-00000000E701}384C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216184Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.978{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216183Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.926{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216182Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.926{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-0E00-00000000E701}992C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216181Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.849{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E5AEDEA6D28EB8144A240F730FB598,SHA256=C94C90852E6B14610427A118518385E6C7EA627F3B0CD2B832C3595F2C03EF79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216180Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.848{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-0E00-00000000E701}992C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216179Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.847{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216178Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.757{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216177Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.757{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A1-6116-0C00-00000000E701}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216176Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.625{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A1-6116-0C00-00000000E701}832C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216175Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.621{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162352Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:51.368{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84973A741E8F869C645775726DD1D947,SHA256=8E9C83D024A9A70C47FB21FA0CB38D943F2ADFDFA0CB21A031AB7DD03B4702B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216174Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.405{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216173Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.401{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-269F-6116-0900-00000000E701}568C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216172Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.365{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-269F-6116-0900-00000000E701}568C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216171Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216170Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216169Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216168Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216167Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216166Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216165Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216164Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216163Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216162Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216161Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.289{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216160Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216159Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216158Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216157Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216156Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216155Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216154Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216153Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216152Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216151Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216150Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216149Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216148Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216147Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216146Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216145Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216144Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216143Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216142Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216141Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216140Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216139Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216138Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216137Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216136Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216135Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:51.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216232Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.971{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26B1-6116-3A00-00000000E701}3388C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216231Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.971{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26B0-6116-3300-00000000E701}3260C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216230Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.955{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26B0-6116-3300-00000000E701}3260C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216229Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.955{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26B0-6116-2F00-00000000E701}2680C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216228Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.895{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26B0-6116-2F00-00000000E701}2680C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216227Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.891{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2D00-00000000E701}2348C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216226Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.883{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2D00-00000000E701}2348C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216225Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.883{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2C00-00000000E701}3052C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216224Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.871{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290DD35E21DFDE74728ECF33A3828EE9,SHA256=57CF97F66EAF1EBC245A8FF6744CDAA9EB17BB37B8D463E6A7F149AC8ACEC0E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216223Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.863{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2C00-00000000E701}3052C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216222Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.859{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162353Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:52.399{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4244F79D40890543EF8793428D1D933,SHA256=C0A7A2F8CE503D15C9938966F4CFD8E59116E842932378104E157B36F80FC5BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216221Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.831{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216220Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.827{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2A00-00000000E701}3008C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216219Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.815{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2A00-00000000E701}3008C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216218Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.815{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216217Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.771{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216216Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.771{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2800-00000000E701}2948C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216215Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.759{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2800-00000000E701}2948C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216214Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.755{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216213Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.727{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216212Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.727{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216211Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.703{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216210Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.703{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216209Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.659{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216208Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.659{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216207Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.619{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216206Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.619{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2200-00000000E701}2748C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216205Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.547{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AF-6116-2200-00000000E701}2748C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216204Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.545{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AB-6116-2000-00000000E701}2604C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216203Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.511{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26AB-6116-2000-00000000E701}2604C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216202Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.507{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A3-6116-1F00-00000000E701}2132C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216201Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.483{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A3-6116-1F00-00000000E701}2132C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216200Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.479{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1700-00000000E701}1404C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216199Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.455{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1700-00000000E701}1404C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216198Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.455{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216197Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.318{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216196Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.318{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216195Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.270{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216194Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.266{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1400-00000000E701}1076C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216193Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.190{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1400-00000000E701}1076C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216192Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.186{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1300-00000000E701}828C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216191Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.122{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1300-00000000E701}828C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216190Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.118{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1200-00000000E701}772C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216189Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.090{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1200-00000000E701}772C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216188Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.090{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1100-00000000E701}408C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216187Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.058{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1100-00000000E701}408C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216186Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.054{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26A2-6116-1000-00000000E701}384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216261Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.981{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EB3-6116-B501-00000000E701}3312C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216260Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.981{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216259Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.933{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216258Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.933{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216257Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.913{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6755073D96EBB925FC7B15CE6DBBFB57,SHA256=16CF229F3F89989447512EF2C5571A3514E86C4C97E5570A41E81293604CB9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162354Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:53.415{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8DE69859975148F1E1EC3FD9D6B0F6,SHA256=86996978EF738EBC6DDDD987C57CF5F81FB4474F9D8DB9EFBF9CEDFA6BE692DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216256Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.847{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216255Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.845{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216254Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.740{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216253Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.739{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216252Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.676{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216251Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.672{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216250Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.460{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216249Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.424{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2851-6116-B900-00000000E701}4228C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216248Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.336{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2851-6116-B900-00000000E701}4228C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216247Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.255{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2850-6116-B600-00000000E701}3524C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216246Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.215{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2850-6116-B600-00000000E701}3524C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216245Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.215{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-284F-6116-B300-00000000E701}684C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216244Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.171{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-284F-6116-B300-00000000E701}684C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216243Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.167{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-284E-6116-B100-00000000E701}2548C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216242Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.146{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-284E-6116-B100-00000000E701}2548C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216241Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.143{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-272A-6116-8000-00000000E701}3236C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216240Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.103{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-272A-6116-8000-00000000E701}3236C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216239Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.099{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26C1-6116-7200-00000000E701}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216238Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.071{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26C1-6116-7200-00000000E701}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216237Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.071{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216236Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.031{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216235Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.023{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26B1-6116-3E00-00000000E701}3480C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216234Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.003{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26B1-6116-3E00-00000000E701}3480C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216233Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:52.999{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-26B1-6116-3A00-00000000E701}3388C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216297Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.950{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B44FBAA1850CB9EB2A6905D49937B1,SHA256=E7CCFB15C9FCC3DC9FBA9F5B2CDC345C41CD1BD3AA4F3DF061E5C8F8A17645BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162355Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:54.431{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D62B1D57551E1FCC686BFD459FA63B,SHA256=CE65908B505423FF7DCA5C87012FD6E7623C4297D306F3262164DD16004ABF56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216296Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.632{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216295Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.601{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216294Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.601{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216293Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.601{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216292Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.601{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216291Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.554{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216290Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.554{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-51B5-6116-9506-00000000E701}6460C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216289Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.544{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-51B5-6116-9506-00000000E701}6460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216288Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.543{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-51B5-6116-9406-00000000E701}6928C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216287Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.540{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-51B5-6116-9406-00000000E701}6928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216286Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.538{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-4EA7-6116-2D06-00000000E701}7060C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216285Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.518{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-4EA7-6116-2D06-00000000E701}7060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216284Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.518{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-4EA7-6116-2C06-00000000E701}5388C:\Users\Administrator\Downloads\ghidra_10.0-BETA_PUBLIC_20210521\ghidra_10.0-BETA_PUBLIC\Ghidra\Features\Decompiler\os\win64\decompile.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216283Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.514{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-4EA7-6116-2C06-00000000E701}5388C:\Users\Administrator\Downloads\ghidra_10.0-BETA_PUBLIC_20210521\ghidra_10.0-BETA_PUBLIC\Ghidra\Features\Decompiler\os\win64\decompile.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216282Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.510{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3FDB-6116-1404-00000000E701}1600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216281Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.494{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3FDB-6116-1404-00000000E701}1600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216280Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.490{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3FDB-6116-1304-00000000E701}3948C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216279Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.490{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3FDB-6116-1304-00000000E701}3948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216278Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.486{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216277Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.386{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216276Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.382{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3DBB-6116-C803-00000000E701}4240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216275Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.358{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3DBB-6116-C803-00000000E701}4240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216274Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.358{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3DBB-6116-C703-00000000E701}580C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216273Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.354{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3DBB-6116-C703-00000000E701}580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216272Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.313{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3124-6116-1D02-00000000E701}2972C:\Program Files\Eclipse Foundation\jdk-11.0.12.7-hotspot\bin\javaw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216271Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.217{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-3124-6116-1D02-00000000E701}2972C:\Program Files\Eclipse Foundation\jdk-11.0.12.7-hotspot\bin\javaw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216270Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.217{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EBF-6116-C001-00000000E701}5324C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216269Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.177{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EBF-6116-C001-00000000E701}5324C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216268Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.177{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EBB-6116-BF01-00000000E701}6036C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216267Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.129{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EBB-6116-BF01-00000000E701}6036C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216266Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.129{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EB4-6116-B801-00000000E701}5656C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216265Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.089{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EB4-6116-B801-00000000E701}5656C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216264Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.085{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EB4-6116-B601-00000000E701}5476C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216263Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.041{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EB4-6116-B601-00000000E701}5476C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae182|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216262Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:54.040{079FE16A-539A-6116-D106-00000000E701}25406992C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe{079FE16A-2EB3-6116-B501-00000000E701}3312C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+aff9c|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+ae2c7|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88c22|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+88e99|C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe+cd640|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216299Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:55.956{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026C827F265C128814B9C9BE8EBE93A3,SHA256=42977279A62163BD65D97AE7A3643743D20A53357A6E1C53B811556C4FB69425,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162357Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:52.747{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52212-false10.0.1.12-8000- 23542300x8000000000000000162356Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:55.462{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08D9EF8BE7423ADB0D308AB6F50F250,SHA256=01668EE7B03979F3F3CADF8023C606FCBC4779DA009655A2FF4D574573B0E4B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216298Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:53.132{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64879-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216300Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:56.971{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF779D9149D1A78E4C2502AAC74737B,SHA256=593A21E1A1B793750DE1E0041541AC187E579D23341898E9B8294D5A1FB7EA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162358Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:56.556{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8406E4CA1CE9ACF0F3F6557EA3FE3037,SHA256=DED17FB1F5D3FE36E9A941517DA9645BCFBA1A2C51974D92AE2AA761CB2B0586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162359Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:57.774{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF46F1BC5B60A2F3E6F23BE2ED7C6831,SHA256=2772EB13C6AED519DB9CFCAF5CE0A6F9EBF209EF75F771068DAA2A67885C756E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216308Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:57.954{079FE16A-2851-6116-BF00-00000000E701}46526924C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216307Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:57.954{079FE16A-2851-6116-BF00-00000000E701}46526924C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216306Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:57.954{079FE16A-2851-6116-BF00-00000000E701}46526924C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216305Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:57.954{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216304Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:57.954{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216303Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:57.954{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216302Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:57.954{079FE16A-2851-6116-BF00-00000000E701}46526924C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216301Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:57.954{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162360Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:58.777{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E08180D549ABBE551D2C546AF5A504,SHA256=63BDEE6066EF5AFA6B38D63123A0AE50777BA2F7CAB160AA7E06E212DDBF6519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216312Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:58.054{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216311Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:58.054{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216310Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:58.054{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216309Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:58.016{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEF54FD63D50A0DC36002C0F32A0FC4,SHA256=11078D597B19A002D9E399F3FE5F3FEB22DED274F6676C85575751B259455701,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162362Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:57.749{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52213-false10.0.1.12-8000- 23542300x8000000000000000162361Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:24:59.789{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3E79CDC06F6B83C1D49C51200F7263,SHA256=8A716E6E35C643E331F78362519879E6B103E10B2464CAC66579A9521D278F49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216321Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.786{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-568B-6116-2E07-00000000E701}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216320Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.786{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216319Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.786{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216318Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.786{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-568B-6116-2E07-00000000E701}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216317Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.786{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216316Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.786{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216315Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.786{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-568B-6116-2E07-00000000E701}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216314Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.787{079FE16A-568B-6116-2E07-00000000E701}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216313Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.032{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2E48AF0CC86000C5239BC0D1D9BB03,SHA256=2BAD525D0C6A6F89B67D339F4A0019F980829386A37D4BF270B6B9B181E68808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162363Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:00.809{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F451FF6D9FD88F27F5FCA11CAB1FA1,SHA256=75CAF2849E53B3FEFF62B88C586A1C2F5E5BE4E1D4FE2A6F900CA49341C63345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216359Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.801{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57304DC36335A7D917E66FBFD6FB9B0B,SHA256=50D0F39571E5112472524F7F98CD69ED370687D85014E26FE8F2B53577817E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216358Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.801{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FACD0E7FA872909E61E9EBD8E469946E,SHA256=73C96C706B89B91935010B0B99B3FF87ABFBB2261364707E7A18F249F9726F74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216357Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.770{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216356Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.754{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216355Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.754{079FE16A-2851-6116-BF00-00000000E701}46526924C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216354Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.754{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216353Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.754{079FE16A-2851-6116-BF00-00000000E701}46526924C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216352Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.754{079FE16A-2851-6116-BF00-00000000E701}46526924C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216351Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.754{079FE16A-2851-6116-BF00-00000000E701}46526924C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216350Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.617{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216349Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.617{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216348Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.617{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216347Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.617{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216346Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.617{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216345Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.617{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216344Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.554{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216343Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.554{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000216342Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:58.311{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64880-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000216341Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.486{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216340Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.486{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216339Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.486{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216338Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.486{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216337Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.486{079FE16A-284E-6116-B000-00000000E701}8523620C:\Windows\system32\csrss.exe{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216336Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.470{079FE16A-2851-6116-BF00-00000000E701}46525928C:\Windows\Explorer.EXE{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c|C:\Windows\System32\SHELL32.dll+18cc83|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216335Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.480{079FE16A-568C-6116-3007-00000000E701}6800C:\Windows\System32\colorcpl.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft Color Control PanelMicrosoft® Windows® Operating SystemMicrosoft Corporationcolorcpl.exe"C:\Windows\System32\colorcpl.exe" C:\Windows\System32\ATTACKRANGE\Administrator{079FE16A-2850-6116-EC13-0A0000000000}0xa13ec2HighMD5=362986B35574BF922A81E7B0BA50C96B,SHA256=AFC126088E3292D6455584222B70822D3A1AF397F48EF6982834A03ED181863D,IMPHASH=BF699192BC903253BE75CBD63776138C{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000216334Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.470{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-568C-6116-2F07-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216333Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.470{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216332Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.470{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216331Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.470{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216330Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.470{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216329Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.470{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-568C-6116-2F07-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216328Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.470{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-568C-6116-2F07-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216327Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.472{079FE16A-568C-6116-2F07-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000216326Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.301{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\AlternateServices.txt2021-08-11 16:30:08.992 23542300x8000000000000000216325Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.301{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\AlternateServices.txtMD5=02F4CCC9FF4B58CA07E99CF13B04101F,SHA256=B60DAF1B9229B25658CA83D68EC3BCEBA9076DF34F342D791671C99A2131971A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000216324Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.201{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\SiteSecurityServiceState.txt2021-08-11 16:30:08.892 23542300x8000000000000000216323Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.201{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\SiteSecurityServiceState.txtMD5=BCDD756F4F717B4CAFC94769B783FF4A,SHA256=6C9F1FDF1BA1BEDF33CD39D07EC315DD6F7C351C152633BE92A8C294249DFC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216322Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:00.032{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301F594CF34FA6449161CE987CBEB664,SHA256=77FC0DF63CC060A60542318CEAB610992A2A19851282BCB2D824E9A4C6B9C3EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162364Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:01.824{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EFA6EDAE3704163EC35A163111BDB5,SHA256=A9B165D3900C157242442C4E0C24F35E42C5F063D22A4AA4DC3B18B773CA1AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216369Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:01.301{079FE16A-568D-6116-3107-00000000E701}41484428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216368Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:01.069{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-568D-6116-3107-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216367Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:01.069{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-568D-6116-3107-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216366Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:01.069{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216365Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:01.069{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216364Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:01.069{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216363Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:01.069{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216362Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:01.069{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-568D-6116-3107-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216361Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:01.072{079FE16A-568D-6116-3107-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216360Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:01.069{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72EA732046561502CBBA6EB2DEC0F19,SHA256=33533CC02DCF2DFDBE0BB343DD4112688311BC3000E254E27636634BAAA19DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162365Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:02.824{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F790E1F47D6280FCA09164C23420443,SHA256=3F14BCDF7F23BFF9DA70FEF45A7624CE409194BD184B9825530A78E44A54D600,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216380Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.917{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216379Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.917{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216378Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.917{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216377Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.901{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216376Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.901{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216375Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.901{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216374Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.901{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000216373Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.561{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64886- 354300x8000000000000000216372Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.559{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local59796- 23542300x8000000000000000216371Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.070{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F211879FD4064300249994B3271CA5B,SHA256=30886BE25685E14985FF06E8B2902F4C1ABC7932400458E90BA1524FA3C56942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216370Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.070{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57304DC36335A7D917E66FBFD6FB9B0B,SHA256=50D0F39571E5112472524F7F98CD69ED370687D85014E26FE8F2B53577817E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162366Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:03.840{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A4224E31BC20E850BCDEED8710D841,SHA256=56CF097F3AAB4228B2EA35847CAFC9B8BC252426B18011633B2B7A465284822E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216391Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.971{079FE16A-568F-6116-3207-00000000E701}60447156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216390Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.754{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-568F-6116-3207-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216389Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.752{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216388Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.752{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216387Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.751{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216386Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.751{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216385Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.751{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-568F-6116-3207-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216384Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.751{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-568F-6116-3207-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216383Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.749{079FE16A-568F-6116-3207-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000216382Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:24:59.562{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-414.attackrange.local64881-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x8000000000000000216381Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.070{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D20DC426131BEFB4B27FFA4BE1CB6C,SHA256=A8D23710D1DB167E2FF99BA9EB7B5AA25A57128A3BBCB5FC77261809B2658792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162367Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:04.855{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AB74EA77E0DBAFFC3EF3275D0159CB,SHA256=8B263FA665FC02CEB08612B2C681C14FEC0A4CE884BE4B343BC9BC8382642068,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216410Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.916{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5690-6116-3407-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216409Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.916{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216408Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.916{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216407Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.916{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216406Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.916{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216405Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.916{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5690-6116-3407-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216404Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.916{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5690-6116-3407-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216403Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.918{079FE16A-5690-6116-3407-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216402Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.785{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=678D9CD35E09A1F53BCF16CE8706B977,SHA256=8CD2D250FA1B6ED17D97B89D60BE0863304EE1D7B42A92F630C4459C7243EA6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216401Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.654{079FE16A-5690-6116-3307-00000000E701}22965800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216400Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.417{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5690-6116-3307-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216399Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.417{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216398Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.417{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216397Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.417{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216396Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.417{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216395Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.417{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5690-6116-3307-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216394Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.417{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5690-6116-3307-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216393Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.418{079FE16A-5690-6116-3307-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216392Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:04.086{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB23C66E938AEFE490F0D94491CDB4E,SHA256=AA5C4B5FB1E58C5426D2ABDB59230912AC722B885AA5A856CDE6822FC4A95FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162369Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:05.855{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B12A0BF8F530A7CDF8EFE894474A927,SHA256=BB2AF052D6F0185A31E165EA9E3F5268D1E3C1D90A7CE5C45643D87C9556BB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216424Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.917{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DAF486829C16B4FFE19937D6CE9ED9F,SHA256=4788C80BB3352A33B0D6B4BC0B9B22E92EEFC77FB04EB8F992026EF2B1B9E7BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216423Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.633{079FE16A-5691-6116-3507-00000000E701}65727128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000216422Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:03.326{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64883-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000216421Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.873{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64882-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000216420Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:02.873{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64882-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000216419Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.417{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5691-6116-3507-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216418Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.417{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5691-6116-3507-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216417Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.417{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216416Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.417{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216415Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.417{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216414Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.417{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216413Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.417{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5691-6116-3507-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216412Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.419{079FE16A-5691-6116-3507-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216411Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:05.103{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE9B4B973EFFDB252C8ACA91563788D,SHA256=107C6D17D094B6455CE4C86AB510FA11293E373F3520A768CFA58FAF2B1497D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162368Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:02.937{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52214-false10.0.1.12-8000- 23542300x8000000000000000162370Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:06.887{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340401945E0D48E0867B254832C5D5C5,SHA256=55F3F8A6C2AE135644E1CC6676C166F53705F217A18F4E304D5FB13F7C756282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216425Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:06.118{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EA649D132DE7178BF0DB508D19DDAB,SHA256=7F5CCE89D5DDD17FAD82D13F54940C405712C3106A34830ACBF067DB23A6744B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162371Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:07.887{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19074DB458EDD8774DF8415705F9C141,SHA256=035D6F017C05A0B1262AB2ECD2385DD47FCE93C1D675798DDEC469426DA4F82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216426Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:07.118{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFAC64FD97AA160C06B2B900C0F9B71,SHA256=ACB01F7665F29980FC128EC55D789FAC1836F010DECDDD1FB31BF320D4DE9B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162372Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:08.887{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1B93F5EA37C4682B4BA803DAB1B487,SHA256=27A92FE66008F13205801583CD9A1D73E7AF8322765D2A428732A00E01D25CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216427Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:08.119{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5911FE0C1C5145202619F180729260D0,SHA256=2AB4981D8D136FDAB66A025EF3C2C0092A5D894FF260FF54849B87FE5EDA8B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162373Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:09.918{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482466EFCD0262F7A99273B6F679DC25,SHA256=55948F574C4186F4F92CF8FF0FAE912FE46D83BDB3A4092EE948DEB48BCD4571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216434Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:09.533{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=0086D32592B2164D32DBC61B5023CE5D,SHA256=D4B340EB40D572475AC1D31CBAEC49AF3CAB57EFB8221EA58C269112FBD0DF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216433Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:09.533{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=151C7A9FAEE71A26577896A4318BC1DF,SHA256=B11B0A139875E9E44D06885A96849ADF9B22606347A325CC489A6E22232C1A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216432Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:09.533{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C162986D993A82E02B0ACB52CFC9D5FA,SHA256=BFA25619776B4DA6616E9A38EECE6FD599EEC2079A61033F25E9824F23EA7578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216431Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:09.533{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=9D042AE7638E2ED7FDD287BAFA0E1EC8,SHA256=80A212FD73D20E56EA7D2EE8DC763B43D83ED5D71A578BF39DBC9E424B8183EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216430Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:09.533{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D73108B58DD0BD679D21C2828CCB52D8,SHA256=EC2DF666A08E5B4B62A0061E33B80951D3C904BFDD1153E30D37F554CAD83358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216429Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:09.533{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=6D9B64C82331EBBA6809CCA5516E6C99,SHA256=8AC6F9CB8B10B3A31F02F9537DA85AF154B67B7CB1EC0C92F7551C5BBB82683D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216428Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:09.134{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A3D5CBF696F9BDBE6E813339E00E62,SHA256=519D286FB5186A921C98742C3E6D9FF88441AAADD56DD801101F771E09054434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162374Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:10.949{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128319A93F71E65A13EC0B9D9F3FD975,SHA256=0B505F32B56BE9F5E8BFAED85E94B18F3D11022B9ED05860BE1A0D2E400EBEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216435Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:10.170{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F1E5ACF337BA6A9755FD3EBC8CD358,SHA256=D89F85E56135D390822521D6A279896608FA93A3724BD2B364AC93CA0EB71F41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216437Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:09.357{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216436Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:11.200{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A14C4499ECE9815497E805BE66A40C5,SHA256=25E0DCDB28871B46330CD7273E4B3822EE259E5B1A8E453C69175E9E71F1AED5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162375Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:08.703{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52215-false10.0.1.12-8000- 23542300x8000000000000000216440Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:12.632{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216439Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:12.632{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=76EC88EEA50BA58FD8A65A1F77337442,SHA256=50DC07D2E83EFB5CA62F84A938D840A2B902E811D6775850D82391ED94825883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216438Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:12.201{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339A4F6C34C1D4B906C4B6FF5995C702,SHA256=045ACDF0D83813C316672E8B00D9D46E539A9807DE54AA5E75352F44C88FB745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162376Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:12.012{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291BA6F084A2CBC093792EFFA718B750,SHA256=F1BAC9D3D5665EBD62058E5BDF7985481B2AD801713C64112F89219EF30A4F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216441Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:13.216{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D9148ABA25F3BD1DD9C23C4D7D2CB3,SHA256=14A93F52FE5327BD2C1CF15D140930B8B107735BA11F8F7B3603EE10ADB0896C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162377Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:13.059{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC497D4D85445541279D2AE5E8A6257,SHA256=6F4E54D8A300BDB4AC027EE6E84FFF2B74CA2097B6BA184947B565B71AB5F21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216442Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:14.231{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F116B55076EEF910387BF2750FC1990,SHA256=9B393639E37CE3A3066FDF1D6846FD8C6225605B19CB8DF51D1913BC3FC9CA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162378Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:14.074{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71482DDC670F7FECE746E0CA7DCCCD06,SHA256=E54B68D43D8E13F953D7EE4ED9632B092B62A9321ED5108A6218302248EA2951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216443Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:15.231{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACC9C498DF0AF55E58BFF708B209B9F,SHA256=DF2F57256494E0C94F53BD40F08EE18F657D7E50A88C4D02097E769F2445BFCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162379Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:15.074{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89164DB22852F9712F3E89B6F654BB6E,SHA256=E244F960A44A95BA9BDFEEC7FD027165E69F89CD14949A4A386F2F5EB821A13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216444Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:16.231{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B40AA30750A0759ACBC7402C0C8DFF9,SHA256=C2449DD682110EDE0A8646C2CF3B9C2AC09A63C670841CAD6402A7D01494B32D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162381Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:13.891{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52216-false10.0.1.12-8000- 23542300x8000000000000000162380Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:16.090{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAB65519F2E9DD8F2D33B5320D143BB,SHA256=286578445E287AEFF72751143DA0A5183B1345BBB3F4BE0945A6FEB42874BCED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216446Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:15.125{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216445Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:17.248{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13080F164B240468DF2F48A55C044C51,SHA256=463315CFB46ED9391D630127444A866CB9E1A9ECC9EBCDAF6B767080E58F3946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162382Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:17.152{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A867D585687E2CFD6409DC35986A864E,SHA256=AA09A5C56C23E9D8B4023D8A86A75C81C4B1AA964CD6AD2B361256DCD26141EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216449Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:18.314{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+a32069|C:\Program Files\Mozilla Firefox\xul.dll+a31f8a|C:\Program Files\Mozilla Firefox\xul.dll+a31b79|C:\Program Files\Mozilla Firefox\xul.dll+a2dd0f|C:\Program Files\Mozilla Firefox\xul.dll+a2e01c|C:\Program Files\Mozilla Firefox\xul.dll+b7b16a|C:\Program Files\Mozilla Firefox\xul.dll+2f5709|C:\Program Files\Mozilla Firefox\xul.dll+2f5614|C:\Program Files\Mozilla Firefox\xul.dll+2f53fd|C:\Program Files\Mozilla Firefox\xul.dll+2f5294|C:\Program Files\Mozilla Firefox\xul.dll+bcc903|C:\Program Files\Mozilla Firefox\xul.dll+bcd5d1|C:\Program Files\Mozilla Firefox\xul.dll+bcc5fd|C:\Program Files\Mozilla Firefox\xul.dll+bcc552|C:\Program Files\Mozilla Firefox\xul.dll+b9c028|C:\Program Files\Mozilla Firefox\xul.dll+1a5de25|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f 23542300x8000000000000000216448Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:18.282{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109C3D09365B166D1051280E8445981B,SHA256=9CC9DFCA0B11350660D9E740005E024AC3AA306945712878BE4E97702E27A832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162383Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:18.152{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958180645892F184670E0B4B8E64F340,SHA256=EE0B4B580848E6ABB58D029FAE862BBECD9A5A235B12D14F9FEAF2E8A20DF9B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216447Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:18.182{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+a32069|C:\Program Files\Mozilla Firefox\xul.dll+a31f8a|C:\Program Files\Mozilla Firefox\xul.dll+a31b79|C:\Program Files\Mozilla Firefox\xul.dll+a2dd0f|C:\Program Files\Mozilla Firefox\xul.dll+a2e01c|C:\Program Files\Mozilla Firefox\xul.dll+b7b16a|C:\Program Files\Mozilla Firefox\xul.dll+2f5709|C:\Program Files\Mozilla Firefox\xul.dll+2f5614|C:\Program Files\Mozilla Firefox\xul.dll+2f53fd|C:\Program Files\Mozilla Firefox\xul.dll+2f5294|C:\Program Files\Mozilla Firefox\xul.dll+bcc903|C:\Program Files\Mozilla Firefox\xul.dll+bcd5d1|C:\Program Files\Mozilla Firefox\xul.dll+bcc5fd|C:\Program Files\Mozilla Firefox\xul.dll+bcc552|C:\Program Files\Mozilla Firefox\xul.dll+b9c028|C:\Program Files\Mozilla Firefox\xul.dll+1a5de25|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f 10341000x8000000000000000216462Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.806{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216461Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.806{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216460Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.790{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216459Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.790{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216458Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.790{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216457Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.790{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216456Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.774{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216455Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.774{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216454Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.774{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216453Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.453{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216452Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.431{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216451Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.431{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216450Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:19.284{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7400A0CB6A2CC75B3F9BDEBE8EC6AD95,SHA256=B4DBE9C264CE2CA7A754A5AA94D51C5D24207C368F67D67A277B009CF1A5DEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162384Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:19.152{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC8355FF1EF80CCE2C46F5EC4058B6D,SHA256=C2ECEA214350E30101086E3C25BF8CBBF0E33D99BAC05EA572487545340580FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162385Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:20.152{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C88387F24657B11A2F6C426DB1434F,SHA256=21D52A76A4BB591E98726F05CA8F8F1E0EAE9146D4C72C09648B76F949B72C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216463Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:20.293{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990028508808872A56EAEF40871E015A,SHA256=6775763E0B894BF72CC52AF11F4A73C200CA4B26479EDC7CCBC69FE2BB803D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162386Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:21.152{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84C1E4E860F0E8A04B4430B0989DCC2,SHA256=14FAE4A7EBC00A2C2D44D28752490D56D7FC017C1CBA2FE1624FB1960A73FF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216470Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:21.339{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928203923993FFCA84340CC1F0EC449D,SHA256=E98FF4CCB65FAD9E92485D5554E55432AA99CE28161A43BD6150B0F2C7795332,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216469Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:21.306{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216468Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:21.306{079FE16A-2EB1-6116-B301-00000000E701}46765696C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e30|C:\Program Files\Mozilla Firefox\firefox.exe+37d26|C:\Program Files\Mozilla Firefox\firefox.exe+49300|C:\Program Files\Mozilla Firefox\firefox.exe+48ffc|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216467Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:21.277{079FE16A-2851-6116-BF00-00000000E701}46521900C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216466Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:21.277{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+a32069|C:\Program Files\Mozilla Firefox\xul.dll+a31f8a|C:\Program Files\Mozilla Firefox\xul.dll+a31b79|C:\Program Files\Mozilla Firefox\xul.dll+a2dd0f|C:\Program Files\Mozilla Firefox\xul.dll+a2e01c|C:\Program Files\Mozilla Firefox\xul.dll+b7b16a|C:\Program Files\Mozilla Firefox\xul.dll+2f5709|C:\Program Files\Mozilla Firefox\xul.dll+2f5614|C:\Program Files\Mozilla Firefox\xul.dll+2f53fd|C:\Program Files\Mozilla Firefox\xul.dll+2f5294|C:\Program Files\Mozilla Firefox\xul.dll+bcc903|C:\Program Files\Mozilla Firefox\xul.dll+bcd5d1|C:\Program Files\Mozilla Firefox\xul.dll+bcc5fd|C:\Program Files\Mozilla Firefox\xul.dll+bcc552|C:\Program Files\Mozilla Firefox\xul.dll+b9c028|C:\Program Files\Mozilla Firefox\xul.dll+1a5de25|C:\Program Files\Mozilla Firefox\xul.dll+ba1e6e|C:\Program Files\Mozilla Firefox\xul.dll+ff2e56|C:\Program Files\Mozilla Firefox\xul.dll+2debd4|C:\Program Files\Mozilla Firefox\xul.dll+2d805f 10341000x8000000000000000216465Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:21.266{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216464Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:21.266{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216471Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:22.346{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC321E2C249DC5D4B3DFF00D7D56309B,SHA256=FE98AAB84966642ED76C619EF46280816762D62B733702D1EC35148E3B2F4834,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162388Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:19.844{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52217-false10.0.1.12-8000- 23542300x8000000000000000162387Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:22.152{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E339B2A632F9C4DAE12070FF9359DACE,SHA256=03884571FCD71A316ED1F332E8673CB20BA059C6141A0D61BCC094393B78E88D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216473Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:20.294{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64886-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216472Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:23.364{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8D11CFAC45849BAE3C4F2F1866D82D,SHA256=6EBB59B76F779555F9A82C0579FE382FD0FB82AAEF25564217890728DD9B5F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162389Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:23.152{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61A4FF31566C3BD7C35B52E9468A85C,SHA256=99988940DFD7B058D1B4CF1067911F877FEB23C6C59B5A76F1B871F89B3C7C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216474Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:24.370{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCC77FA10D8DC37F2EE96E53A64489D,SHA256=919E24FD5613394BAC3F9000993CC5B4A62B2398764CAD90DA7D881AA0451537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162390Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:24.152{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E25CA3487E3B7CCF408BDDCAA657A7,SHA256=251EF2A4C56CA0E0008983B2AA0CF9011399F5E0168B2BFA51A325D90166E2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216475Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:25.447{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76071090524BEB52274173044D4D5AC9,SHA256=09DDC6972C2DD77992B0FE378C8ABF407FE270571AE5A86640A034DD2DF57FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162391Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:25.168{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62831ED219E56EC0D7211BA52E2B766E,SHA256=A8C3FE08DD523D1B4DA6E59E2BADF286BD705FE1C38C48E4D13DBE2DF3F7A975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216476Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:26.684{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4D6937101147451FB19E7977D91B2B,SHA256=527368324CFCA2CA172E489765931FB52BCB7E1DD84C13AF5BD5A16F93D042CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162392Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:26.168{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83D67549B7528E5F98E33BE3DEB9363,SHA256=97451FD559DB4E906744D2F518CB707B85616BFA15DB4538A5CF05A40C49B563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216483Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:27.695{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF97D088F06338D07713419804BB358,SHA256=FD399F44F00946A0EDECF406C4AE693052AB263D537C173E649407A47D7D6130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162393Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:27.199{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E52E64D141BFB52445B70D516E8F6C,SHA256=3D4D9AC8FB935F8266E17B51C266A0BB05CC103D2E05189820B5DB47DF9F5C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216482Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:27.445{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=A4559B46CD44534891EE9412D9A0EB43,SHA256=FF8441696010CE7E702066C93EF3F4E97C7317B4A7F4E3E35FA3BECA10A288F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216481Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:27.439{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=27822AD2B97F7F937EE2430E7AB2E5AF,SHA256=011DD554989334C59C502769FA3C0B80B18E7E920178B0174E09CDC22C8F6483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216480Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:27.425{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=59A1A7AB4CB33D033653BA486B7B3428,SHA256=8C92F26A386A351142944C1B1B3690429A9704BE5A768F6F35FC9CD569DC159A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216479Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:27.423{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=BE93E5DFA16C8EBDD576CB4F0AB66FF9,SHA256=1E8A9F8AD9EA78E26C66D6A805E0E22AA77D100156AEAD0FF4DE9E2A27E8EE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216478Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:27.420{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=AAE5F1F04038F504393AFD752D029755,SHA256=F30212EEADAD0128C548579FA4B0F0BDAACB89197FDFBA543FE2C7595A31B0FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216477Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:27.418{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=A5E305A8D6E342D9A80963DD70ACD19F,SHA256=AFC0DCDE3D1D000E2C3668107781C417DF77396CB45BB66D9656DA60E2B20CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216484Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:28.700{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051DC002EE3FF579F2B0DA90C5AF09B6,SHA256=EBB97F5B27278010E99B9B1248ACF32A7C3FC0E0D35721CEE0863044FE8AB143,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162395Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:25.844{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52218-false10.0.1.12-8000- 23542300x8000000000000000162394Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:28.246{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7870ABF7A11C962D17C6695124FF9CC5,SHA256=17009BADDE342D13AEB561B6935B24F4D596977450CE8C121A1D00ABE608CA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216486Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:29.706{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04BA2FBB6178914AEA59F8B4C704F45,SHA256=3611C7600A5462ED8D63BEB4F7CCEEB309963C1204666234475F56CA65D1E9FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162396Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:29.262{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBD72DBB21EEA7B2E77E2B24907DE22,SHA256=FF0D1194921F8EA9348E2C6D2454C64BFEB67C79041C00765AA0D4C17A77C28C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216485Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:26.195{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64887-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216487Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:30.712{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15ED5CCEB0638C61942C6B29ED58F3F2,SHA256=98F4FD53702EF5D4DABA6080B4684B106BDD9F1EACB6E42F87BF16B52E2342F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162397Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:30.262{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A20ED801143D99F87B57D6E89FB2BE6,SHA256=78D41A95F16B4361B2A2090616EFC5A40DE4A6940603E805F5318CECBD32D2B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216488Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:31.716{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2EFB20C11178E8F7310EB227B79C94,SHA256=251F21813A933A3DE8DB1E47E9D8BE8327F6600DAD5B7B330933116AD254E21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162398Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:31.262{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2787CB84BA6DF9446883BAAB39F941B4,SHA256=FEC6E0C779993CFEFAF343E6DA24D5EB2314FA37848E7C93AC18144528E47059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216489Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:32.728{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A1D8FDCE8EB031BAD45BC260FD939B,SHA256=DD17D21AD520921792527C7753FD733DFD7C0EBDCF41E0A8533C5CB9A0069049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162399Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:32.324{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C3DF53668E5972464087BDBC0E5CA31,SHA256=4E2BF9EE36F13D84462E8C23B49D5009F8D932C400FF1D262FB65DF1D5FE61D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216496Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:33.736{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D847BB501EF81DBEB22EDD912C63EB2,SHA256=094CD832595CF7BE65EEE40B26A0536E45BA89F4A13E2D088938F8532CDA4AAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162401Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:31.860{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52219-false10.0.1.12-8000- 23542300x8000000000000000162400Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:33.324{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6854048FA78233A1715B11F74933FED,SHA256=A9F8E36E7FC0D906D41588CB0914FA916F272631B4CD4FA9C8562565356F1DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216495Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:33.294{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=222CEF7DF6D7E766F7327E62A6991789,SHA256=DC5082D1802D2A72696743D0C5EFBB173447E055F473BDE398BEE0B8870757B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216494Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:33.292{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=51E37386BEF34F8A18C33EA50A70CDC7,SHA256=2F48109C066D423A398A7BFAA697C8D5D7AE024B2721BF33AC1CA36E4311D28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216493Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:33.290{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=1AC915F27A4D17C31FB9FFAE6E8AB0A6,SHA256=22070503075FD3596585BF2C10BC9E97D2E6A14FBBDC54ACF73F31CA2DA5416D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216492Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:33.288{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D415B102D426B497DA5065D54644686F,SHA256=317857DCE832C4A5181366C8E3300C09B21B43BE087829ACF060767951E9585A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216491Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:33.287{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=99DCAC622CCCE951C6384DF2CA05E24A,SHA256=DE0E6BED86CF9668A0AB2A86A974BCCEDC260554345713411B32CECC8FAF185A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216490Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:33.285{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=361B954C5544321F9970FAA05F33C6B4,SHA256=02745F898FD4F9840FFE61C7E28C8F5A754959F21AB80E75B4544F25CD1AAB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216497Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:34.856{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE8A94EBB09C18CDB62FDF94BCFF9E2,SHA256=63627F48BF6B3E6159FE095C286D3D42C66F93C178AEB54D4E8E6DE5EDD47191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162402Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:34.324{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71867444185BE9A0928E9D8CCAB9D12D,SHA256=98E502F34BE652C9F7836CFA1C6D73050783FEFF5764FB5794BE390452DA303F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216499Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:35.917{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C56E3B40773309F80112279B09240B4,SHA256=E20C255FA7BAF2EC868CB3167C5DE4832C7FC1DD0801493274D6A435627DB627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162404Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:35.324{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85A29AA4FF99A505AE2BC1622BEBAB4,SHA256=CFA9B38E31128C6E21177694B5FA708F9F20B7449129D0FC9550C50C544067E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162403Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:35.324{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EA610394DFC8D9365E9333264E4002A9,SHA256=E98D797242948426D424EF8EA8044523FF3552751A16DE03A30380510BEDA62C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216498Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:31.291{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64888-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216501Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:36.966{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023D166479F0AD00C74745327A857518,SHA256=4FA2A82539BECE6B396831D5CB144F0DBAF34D9C9A4BF0DBD0A6AE6269B97C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162415Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:36.325{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850309A16BB3B3CEB68F661CD793FDE5,SHA256=47D9469482B5C1DD176D62166DC07FE0D7F4A4FCB25BB8F4794ACD3DC464C497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216500Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:36.934{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7B012A2DF98852A4484217BF4F5AEE8E,SHA256=ED5421B7D92479479D6482A6A9A3D3C4B867355FD7FC9129ADD620353C82ED5E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000162414Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:25:36.153{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000162413Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:25:36.153{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00bbc882) 13241300x8000000000000000162412Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:25:36.153{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902d-0x8dee2d6e) 13241300x8000000000000000162411Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:25:36.153{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79035-0xefb2956e) 13241300x8000000000000000162410Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:25:36.153{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903e-0x5176fd6e) 13241300x8000000000000000162409Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:25:36.153{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000162408Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:25:36.153{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00bbc882) 13241300x8000000000000000162407Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:25:36.153{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902d-0x8dee2d6e) 13241300x8000000000000000162406Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:25:36.153{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79035-0xefb2956e) 13241300x8000000000000000162405Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:25:36.153{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903e-0x5176fd6e) 23542300x8000000000000000216502Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:37.970{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B455C223E28506BED7834E429FB37D34,SHA256=BBBE7EAE74DD7AC2EDB9BA8AC3AFBF12E5862E9DF1A3F2F1DBDD38CD9E583094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162416Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:37.341{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD598ECB5292B3BE1BE7A0364C9DCA6E,SHA256=BDB16A7BC22DF2210D67736389B775A6A5A1B662509479E7C940900D29C358DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216504Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:38.974{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69677C2E823DF4D134C30DB6908589B1,SHA256=FB69C4CBDE8A2054789FE19D5CE5C1712DEC52562AC5EBC0440E183C680712DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162417Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:38.341{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841866EC53ED4683845397741387D344,SHA256=7DE8AA8C46BA1346FDC49E30CC6A5BEA19A879328A87C1AF535F27CB34A70E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216503Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:38.910{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216505Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:39.980{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0224F0195C2B005AF243D290EDA4E772,SHA256=E47ACE97EB29D4D31B7FE1AFFD177214925CE138D92B08A6D3B8B97D7AD6F31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162418Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:39.356{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808EC33322CE7B9A39BA26232B0B4A39,SHA256=2179830A6CB8FFED34418520CB590D70D0485BB47F3E3F2E50E98BA95647B4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216508Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:40.990{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19B6023A421E0C767D9015D332A19AE,SHA256=9602799B6416B6D3F60752686B15775DFB351F211715A04C797F4EAC4C069D9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162420Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:37.861{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52220-false10.0.1.12-8000- 23542300x8000000000000000162419Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:40.356{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B8919BA6EE940D86DE064920AAF1E3,SHA256=D883AE39212FD72E5C336F114782953E359907DBF38649665B3903AF9EC44EA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216507Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:38.028{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64890-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000216506Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:37.239{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64889-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216509Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:41.995{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C1323C8D176CEDF9B07B82404B4298,SHA256=5CC863D94B5E65E2BA3EF914645ECCC4FE7AB6A5A7F3D49BB3C54E377681E521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162421Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:41.372{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BB18BB585E7375D3D93F31A0725A79,SHA256=CBDCE123C5D4E48ACEDEBC71A7CF6B841D330C24CFC24ADF1A27DACDB12469E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162422Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:42.388{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6113BC21614218B4D442CAC059DFDE7,SHA256=32ACAD7A134406B54655982FDC48D0C6B383F79C99C85307EA793C1A9D235FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162423Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:43.388{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A718EA4E68E8174AD70BCBC4E92C78CD,SHA256=313145A451F27B0E6983D2F8C66BB5C7618489AF1783812023462BB95FDB76A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216510Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:43.002{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393BADF71CE24012B2AA6FCA4B14F2A9,SHA256=1B09DA98269F551D74DB4AA711B8F278784CD80312B7BD64A5D6C259F0812EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162424Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:44.419{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D453BB41D4818843C48BC588186D3074,SHA256=160A342FE429723EB71F45817051F7574BBFD876D3F2A99DBCBF1F5B84A59D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216511Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:44.007{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC81261E69236DC093BFEBFA08061E9,SHA256=6484D55F7DC3DDF9DFC0C6D8A1E631EE8AD3E0AD98DFD84FB38B4E092E91B8A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162440Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:43.830{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52221-false10.0.1.12-8000- 10341000x8000000000000000162439Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.841{C6197713-56B9-6116-2906-00000000E801}24523136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162438Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56B9-6116-2906-00000000E801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162437Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162436Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162435Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162434Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162433Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162432Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162431Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162430Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162429Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162428Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-56B9-6116-2906-00000000E801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162427Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56B9-6116-2906-00000000E801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162426Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.638{C6197713-56B9-6116-2906-00000000E801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162425Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:45.419{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7E3FE150097E5EB511BD05C2572818,SHA256=C748185A18B3630B3D4ADA114265906DA3CA729BAB268E86B9229C8F8611F196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216513Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:45.117{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D3C7DB378AD95F58BA6A4ED105B978,SHA256=2CDA94DB9199D085A6DED288DB767C4F55133CDBF13844295EA9EF176AD1D924,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216512Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:42.309{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64891-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000162469Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56BA-6116-2B06-00000000E801}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162468Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69175C259E3014F1BC74622AFCF62672,SHA256=14B2DC469742A3180101C9621D1AAD8B7C8526341C52144D622649E445C4AA58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162467Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162466Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162465Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-56BA-6116-2B06-00000000E801}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162464Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162463Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162462Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162461Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162460Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162459Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162458Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162457Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56BA-6116-2B06-00000000E801}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162456Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.858{C6197713-56BA-6116-2B06-00000000E801}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162455Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B10147694D720AF038388D08372E0C,SHA256=5075270F20438C56A291B9345CEFAC55C325B7FFCFA465587994E0A8BEAF7F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162454Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6ADDBCAF764F1D8E4F4A7E6661C7F59,SHA256=5DA48BFE8E385DD96B4CDE331B5ACDC32B5CCD09E3B73A8B0201F1481342CFCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216514Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:46.345{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422272D11F3285D2B42551722738D942,SHA256=81D1E2E1E478028DB0C8A7889766825F927CB145122A64D2AF7BBCB3F95C722E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162453Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56BA-6116-2A06-00000000E801}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162452Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162451Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162450Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162449Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162448Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162447Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162446Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162445Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162444Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162443Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-56BA-6116-2A06-00000000E801}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162442Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56BA-6116-2A06-00000000E801}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162441Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:46.310{C6197713-56BA-6116-2A06-00000000E801}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162471Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.872{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69175C259E3014F1BC74622AFCF62672,SHA256=14B2DC469742A3180101C9621D1AAD8B7C8526341C52144D622649E445C4AA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162470Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDCBE544F90259E83A0FDF8CCD68267,SHA256=4F05748302F80D6B0CBE8D909D75A606386F7430E37B1B2E5657EBC951FC7F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216515Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:47.351{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B825D802E9BD01B25B02808A8DE6B6,SHA256=F1A6676507AA96A9F37988BA36CC42F45676D9F0898DF5C91DED973131CFC747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216516Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:48.377{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B1E5DB92AAE7D4AFB586293B42D991,SHA256=10CC297805B52E02C33201D121FABD662F4A5F1E1A0B9D0F89CD59B1464BC0F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162500Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.778{C6197713-56BC-6116-2D06-00000000E801}3256352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162499Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56BC-6116-2D06-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162498Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162497Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162496Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162495Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162494Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162493Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162492Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162491Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162490Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162489Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-56BC-6116-2D06-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162488Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.513{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56BC-6116-2D06-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162487Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.514{C6197713-56BC-6116-2D06-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162486Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.450{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162485Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.278{C6197713-56BB-6116-2C06-00000000E801}3483484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162484Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56BB-6116-2C06-00000000E801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162483Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162482Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162481Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162480Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162479Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162478Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162477Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162476Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162475Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-56BB-6116-2C06-00000000E801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162474Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162473Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.997{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56BB-6116-2C06-00000000E801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162472Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.999{C6197713-56BB-6116-2C06-00000000E801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216517Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:49.382{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82249EBC6BFAFBDB30310DCAECA076C,SHA256=34AF690A41037B658B98DCD6CC15F052304056729D354C363337E2C6B503B7C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162529Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56BD-6116-2F06-00000000E801}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162528Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162527Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162526Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162525Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162524Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162523Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162522Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162521Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162520Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162519Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-56BD-6116-2F06-00000000E801}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162518Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56BD-6116-2F06-00000000E801}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162517Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.685{C6197713-56BD-6116-2F06-00000000E801}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000162516Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.185{C6197713-56BD-6116-2E06-00000000E801}32162692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162515Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.138{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA383E76944F7A6A73E1CDA2D5324730,SHA256=0B173D4E0C7ED51A0EF0171BEF5EC3BC815946FD417ADAD2E8DEDF61A0CCBE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162514Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.138{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46457C84185D03385B5443CF95B1FA0F,SHA256=F56FD30DDCD9DF436F07E0A108D928A1F48087648AE0D588605963FFEFEFBB42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162513Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56BD-6116-2E06-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162512Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162511Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162510Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162509Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162508Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162507Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162506Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162505Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162504Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-56BD-6116-2E06-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162503Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162502Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.013{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56BD-6116-2E06-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162501Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.014{C6197713-56BD-6116-2E06-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162533Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:50.294{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318BC41FD48311B1180C14F1EA9675C8,SHA256=046A4D9D0587E2ED5E484DB5A26A6A647BF131B68F81E62A3E4A5D3E38056C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162532Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:50.294{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18593E64F7502206AB91F9018937A54C,SHA256=D82211F66C5C0C0973684EB397513E05B1859867FAAAD3C00397D46C503336D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162531Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:48.112{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52222-false10.0.1.12-8089- 354300x8000000000000000162530Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:47.828{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse45.115.216.177-57649-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000216519Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:50.401{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094A81331BE60A91C585310B4E8E0216,SHA256=C796A46ACA6646A24D3029E4CD84D89CEA22D298DDFD1A125E44076AD448AEC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216518Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:47.333{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64892-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216521Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:51.414{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED94AB3B69356BBEFFB266D87C0C250,SHA256=09C9C8B9CABB0867E2503D2E0C95DC54895780760D785B786DF250A741C16ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162534Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:51.044{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE19A57EC8BE354F1E88EC1EA5B99964,SHA256=BE173A0F1D8E7188F642A250C0C55B677A4FB46290B166F8C8FA9213D9725645,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216520Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:48.992{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.15WIN-HOST-86758904- 23542300x8000000000000000216522Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:52.432{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4D01827BA694963C9B4D00AF4255D4,SHA256=964785A4BAF88065EC90973CFF9092452552A80019C9279024A7D7011D5501C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162538Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:52.169{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6163FF8C8E78A04F10B6A070708BE67,SHA256=C90CD408ED66E6C658868323F060F36F86E56742472C27DCC864C2003D94C4E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162537Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.830{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52223-false10.0.1.12-8000- 354300x8000000000000000162536Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.798{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-867.attackrange.local58904-false10.0.1.14-53domain 354300x8000000000000000162535Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:49.549{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:2801:4a2:6c7:ffff-58904-truea00:10e:0:0:0:0:0:0-53domain 23542300x8000000000000000216523Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:53.450{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92918BD280AA5457B557F79BD5417938,SHA256=2BEE9E776975D6089FC53EE4E271BF68538BD4781E0A1BED8D3974937490D484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162539Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:53.231{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2B7E2D93A2AB7F08398ED36AF893EA,SHA256=DFFFD32EEA4F09C0FDEA3A5255D34E8F1DA68EDA315FD7C18BC722577DC074EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216524Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:54.464{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D386F9B9CFE90286B827C65264356DD5,SHA256=CCE3939B3888A57966381BD1FE168B1471B2BDB0B82927E4D616E1A7D9CAF04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162540Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:54.325{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637ED0A405656027D788192B182B1DEE,SHA256=B7FAA2B7B4C6FB29F25BFCDAAF1BE96ED47A8BA7EA5D7D72AD7E7DFDE89E56E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216526Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:55.465{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E4905E257688D9D1391538A2B3640D,SHA256=3FC1AAE08F0A9F21B09CF34976AC007E2E8A5B7A5DFFE435BC4F4FD431DAC151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162541Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:55.356{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74657F1F12A0A2DBA6B3B64B31C4C331,SHA256=C14201D8F553F0BFD60E1AAA902CF961F22443FA893856EA4D236AF21F789E0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216525Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:52.353{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64893-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216527Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:56.480{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630B6775F4C70F5A9F009FCC8A5955F9,SHA256=71CD0752FCB8473A07720A6E1C7B492B806A381A1576E10F394D28291089925B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162542Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:56.356{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467B21FCB91E82E36E52C4EBD2B902D8,SHA256=57837AB0E7951BC14301EDD3C29F078D3939B34C2D44076D74979C0FD7A9DDA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162546Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:57.372{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED9D1461AC08339C9BECEC8BE29475C,SHA256=82CA35D381F601AC7F141BD2F78AAC7AE7DD5307E8472F1AC3F66BA6594962BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216528Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:57.495{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80DB35FBBC2A45BC94D0327728E9479,SHA256=9400C47EEF311C0D5B0C826B302D641E6764F597E1700B640741827E878AE710,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162545Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:54.924{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52224-false10.0.1.12-8000- 23542300x8000000000000000162544Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:57.294{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C48714C957D4EE151BB123235B8E3354,SHA256=89C9197E0DD7D3CE4AEA1853975B81B826DC1B01AE2B60C03731A54480777CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162543Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:57.294{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC0F33E28219FE643CE8746B10D75A5F,SHA256=8BB6AC551E239B097EEA235A25FD8520D0D359640F8479D7AD8CF17F2BFBA7B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216532Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:58.509{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3DD721E6A376D01909730BDF7D4A06,SHA256=0567CDE83F2093135FF5EC04E94CF5469A6F62FD7031244167BB7A1176C68FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162549Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:58.388{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34108BCE6C1F6C4A2DEC7907F439B325,SHA256=F39E7981DB774904E955BB5B0C0557411F40CC2EA25B5C3A566DD9900706B93E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162548Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:55.975{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52226-false10.0.1.14-49672- 354300x8000000000000000162547Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:55.973{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52225-false10.0.1.14-135epmap 354300x8000000000000000216531Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:55.418{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752226-false10.0.1.14win-dc-414.attackrange.local49672- 354300x8000000000000000216530Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:55.416{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-86752225-false10.0.1.14win-dc-414.attackrange.local135epmap 354300x8000000000000000216529Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:55.415{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.15WIN-HOST-86762693- 23542300x8000000000000000162550Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:25:59.434{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB049644BCA0A29BE2780C5F9CE0DDE,SHA256=9B3FB3DDFA02A6E2A0BCF6716AD81B9B21B57317B3B0AC7F12348747BC36E737,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216541Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:59.793{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-56C7-6116-3607-00000000E701}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216540Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:59.793{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216539Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:59.793{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216538Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:59.793{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216537Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:59.793{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216536Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:59.793{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-56C7-6116-3607-00000000E701}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216535Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:59.793{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-56C7-6116-3607-00000000E701}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216534Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:59.794{079FE16A-56C7-6116-3607-00000000E701}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216533Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:59.510{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C92B8A511CF8363F461D3EAD5CB918,SHA256=24FC308CB4AF91E9089830AA52409B4BD34F3AE9D4B28F3E89337C52AE00F557,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216562Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.848{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-56C8-6116-3807-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216561Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.848{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216560Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.848{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216559Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.848{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216558Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.848{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216557Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.848{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-56C8-6116-3807-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216556Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.848{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-56C8-6116-3807-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216555Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.849{079FE16A-56C8-6116-3807-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216554Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.795{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90E7B127A9CCC48E23FD17E5AF945FC5,SHA256=DE83239E5F74ADC5B77A0B28E6A5A3627CE10B2D09AD133750A8DF940F1A8477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216553Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.795{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19598E87AAA8A8075508033ADCF3836B,SHA256=75F696E1AD94F9D930E03AD8AA8062D0B538D174E414E0C30C9A3C674A2F3EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216552Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.511{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6452F5E0D47AA4BD25B5EE9FD3FD6B3,SHA256=1D3E2C62817D8FD8CEE05C6995C81DFA282ACC30E8FAFE9FF7C632ABF716D257,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216551Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.495{079FE16A-56C8-6116-3707-00000000E701}45923440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162551Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:00.451{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7D76CF2DBABE5E50F1C2B741D9B563,SHA256=92BB25885CC8F94C0B057C1AA6FE7798EFC65F1C3062A75AE627503CF1E8CBD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216550Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:25:57.372{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000216549Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.295{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-56C8-6116-3707-00000000E701}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216548Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.295{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216547Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.295{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216546Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.295{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216545Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.295{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216544Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.295{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-56C8-6116-3707-00000000E701}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216543Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.295{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-56C8-6116-3707-00000000E701}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216542Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:00.296{079FE16A-56C8-6116-3707-00000000E701}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162552Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:01.475{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4B9D3CC698C04B05091BDB6B2EB32C,SHA256=F861963996E8CA9510BE689E586DD3DECC2295C41215D8A78E4CD20092C56F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216564Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:01.863{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90E7B127A9CCC48E23FD17E5AF945FC5,SHA256=DE83239E5F74ADC5B77A0B28E6A5A3627CE10B2D09AD133750A8DF940F1A8477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216563Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:01.532{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD491C48D51E76F10BC4050CA6C4439,SHA256=9E35C2F6C96B54C08D25DE8B4FCE7C9BFD01D8E93B508B036E0B7286A1F289AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216572Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:02.909{079FE16A-2851-6116-BF00-00000000E701}46526368C:\Windows\Explorer.EXE{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216571Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:02.909{079FE16A-2851-6116-BF00-00000000E701}46526368C:\Windows\Explorer.EXE{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216570Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:02.909{079FE16A-2851-6116-BF00-00000000E701}46526368C:\Windows\Explorer.EXE{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216569Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:02.897{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216568Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:02.897{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216567Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:02.897{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216566Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:02.897{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216565Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:02.548{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9121203AA34F0D6FCF3AEF4769F9D97,SHA256=4095D7960332B0BEA254CCD0B96B12105B39F449E05392940C7248C6F2E592A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162554Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:02.507{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B993F9C91567AF06DDDA28D6B33D836,SHA256=044015FA3BCDB9C132F80901CD700DEEAD5040DF6A859B1068FDC0647F6A7C3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162553Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:00.887{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52227-false10.0.1.12-8000- 10341000x8000000000000000216582Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.966{079FE16A-56CB-6116-3907-00000000E701}6366300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216581Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.688{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-56CB-6116-3907-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216580Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.682{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216579Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.682{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216578Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.682{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216577Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.682{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216576Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.682{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-56CB-6116-3907-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216575Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.682{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-56CB-6116-3907-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216574Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.684{079FE16A-56CB-6116-3907-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216573Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.576{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA18E76046090C260CEC56271360412,SHA256=A2BF13F9A29B30627FBCE9DF94EA84B418A793213C87F12F5AA1EF4AAE165FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162555Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:03.507{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1411C3414257DC74C5965162D5C483,SHA256=AC45094DF2E7C255FAED0A388E650EE268204583EAAA2FFB6D27F010AC6F2EA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216604Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.968{079FE16A-56CC-6116-3B07-00000000E701}13525928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000216603Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:01.967{079FE16A-2EB1-6116-B301-00000000E701}4676www.google.com0142.250.186.164;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000216602Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:01.965{079FE16A-2EB1-6116-B301-00000000E701}4676www.google.com0::ffff:142.250.186.164;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000216601Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.804{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3B2C659AC2EF36A5728A90706D0653,SHA256=FB6C79178B51894C8B732AC7B7196CC6617531B67066AB493E3B88B3DDDC9913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162556Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:04.569{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DFF88AF43701BABD4FE61EAEC957A4,SHA256=4BCA7857053548F79CFC8E09AC11A9288CA84AC412DF0607B711D02F34E7E9D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216600Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.733{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-56CC-6116-3B07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216599Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.727{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216598Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.726{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216597Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.726{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216596Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.726{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216595Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.725{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-56CC-6116-3B07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216594Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.724{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-56CC-6116-3B07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216593Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.723{079FE16A-56CC-6116-3B07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216592Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.698{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5160A662A57351F7B7B30F29C65BC53,SHA256=9B8E2C3CC27084B5EF1358BFF7284D35AC074E07408DB134E02C8ACAB30C97CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216591Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.499{079FE16A-56CC-6116-3A07-00000000E701}9086804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216590Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.228{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-56CC-6116-3A07-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216589Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.223{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216588Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.223{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216587Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.223{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-56CC-6116-3A07-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216586Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.223{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216585Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.223{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216584Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.222{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-56CC-6116-3A07-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216583Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:04.221{079FE16A-56CC-6116-3A07-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216617Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:05.817{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629A56BBB15FB3A7B3EB41F0FF47AD2F,SHA256=8ADC197D90E699324854A93905F7DA1F2F627CEC5E6340E0E55BF14F9C6A6C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162557Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:05.585{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F9D8F0AA0F47A0D714318EB356E32F,SHA256=96AB597C4F949416279C60C67D620F3931DDA07EC00332EE13593039383E4CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216616Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:05.735{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBEAC143AEE26750EC51E594B4B04B9C,SHA256=924F7FBD8E88CA357DF4806A7CE5D197D8130A66D7AB7BA80E8A8B6D1CF15C9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216615Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:02.879{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64895-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000216614Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:02.879{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64895-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000216613Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:01.956{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local49644- 10341000x8000000000000000216612Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:05.404{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-56CD-6116-3C07-00000000E701}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216611Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:05.398{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216610Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:05.398{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216609Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:05.398{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216608Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:05.398{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216607Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:05.398{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-56CD-6116-3C07-00000000E701}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216606Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:05.398{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-56CD-6116-3C07-00000000E701}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216605Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:05.400{079FE16A-56CD-6116-3C07-00000000E701}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216619Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:06.818{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A52CC457625B224198D3B657F20366,SHA256=FD37EA4C5BCB71E370604FAA87D27136F84D72AE82A76D413AE7ACEE1B32A912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162558Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:06.585{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD953F925F4BB4F33CF0AD6AA590DE1,SHA256=CA7C17DD6276029FF836FFD519C4B8F691C0CB94CBB8811BD1656C350CAF60E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216618Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:03.128{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64896-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216620Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:07.914{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4F76CBE2A82437223DAEE9D334C8BE,SHA256=D30B2812CEE1686AB510EA97CA07AA5700A42EBEC7173410310580C91C1CADB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162559Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:07.585{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B39D991CED7EE4F401C595C0FAC9BC2,SHA256=0D43F0C4EF5C51C93A5D114BD1FC721B889692A408398B1AD3A21FF8FF4E9E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216627Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:08.961{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF75091642150AB1B58464A34809E48A,SHA256=41CDEA51A743F29053C31B8CECE43325CB386C8EC3D17D7F97CCD62B3C7C8F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162561Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:08.585{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BE5251C35089C01CDC52BBB4871D62,SHA256=B3A09AB165D4987CE6369FEFA089B88D375B95F9E41C5A7C8A049AD0BA8B2F6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216626Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:08.228{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000216625Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:08.221{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216624Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:08.221{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFbc4b5e.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216623Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:08.190{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+c2ef3b|C:\Program Files\Mozilla Firefox\xul.dll+c27d22|C:\Program Files\Mozilla Firefox\xul.dll+c2d360|C:\Program Files\Mozilla Firefox\xul.dll+c2daa1|C:\Program Files\Mozilla Firefox\xul.dll+3b9a11|C:\Program Files\Mozilla Firefox\xul.dll+c2e859|C:\Program Files\Mozilla Firefox\xul.dll+c318d2|C:\Program Files\Mozilla Firefox\xul.dll+c2e276|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c0eed3|C:\Program Files\Mozilla Firefox\xul.dll+c0e0c5|C:\Program Files\Mozilla Firefox\xul.dll+c1463b 10341000x8000000000000000216622Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:08.190{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+c2ef3b|C:\Program Files\Mozilla Firefox\xul.dll+c27d22|C:\Program Files\Mozilla Firefox\xul.dll+c2d360|C:\Program Files\Mozilla Firefox\xul.dll+c2daa1|C:\Program Files\Mozilla Firefox\xul.dll+3b9a11|C:\Program Files\Mozilla Firefox\xul.dll+c2e859|C:\Program Files\Mozilla Firefox\xul.dll+c318d2|C:\Program Files\Mozilla Firefox\xul.dll+c2e276|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c0eed3|C:\Program Files\Mozilla Firefox\xul.dll+c0e0c5|C:\Program Files\Mozilla Firefox\xul.dll+c1463b 10341000x8000000000000000216621Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:08.190{079FE16A-2EB1-6116-B301-00000000E701}46764680C:\Program Files\Mozilla Firefox\firefox.exe{079FE16A-2EB3-6116-B401-00000000E701}4812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1ba841|C:\Program Files\Mozilla Firefox\xul.dll+a0df34|C:\Program Files\Mozilla Firefox\xul.dll+ba70a1|C:\Program Files\Mozilla Firefox\xul.dll+b83983|C:\Program Files\Mozilla Firefox\xul.dll+b83b37|C:\Program Files\Mozilla Firefox\xul.dll+ba6fbf|C:\Program Files\Mozilla Firefox\xul.dll+c19685|C:\Program Files\Mozilla Firefox\xul.dll+3c72c1|C:\Program Files\Mozilla Firefox\xul.dll+3c6e44|C:\Program Files\Mozilla Firefox\xul.dll+3c6ce8|C:\Program Files\Mozilla Firefox\xul.dll+c2ef3b|C:\Program Files\Mozilla Firefox\xul.dll+c27d22|C:\Program Files\Mozilla Firefox\xul.dll+c2d360|C:\Program Files\Mozilla Firefox\xul.dll+c2daa1|C:\Program Files\Mozilla Firefox\xul.dll+3b9a11|C:\Program Files\Mozilla Firefox\xul.dll+c2e859|C:\Program Files\Mozilla Firefox\xul.dll+c318d2|C:\Program Files\Mozilla Firefox\xul.dll+c2e276|C:\Program Files\Mozilla Firefox\xul.dll+3b9218|C:\Program Files\Mozilla Firefox\xul.dll+c0eed3|C:\Program Files\Mozilla Firefox\xul.dll+c0e0c5|C:\Program Files\Mozilla Firefox\xul.dll+c1463b 354300x8000000000000000162560Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:06.871{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52228-false10.0.1.12-8000- 23542300x8000000000000000216628Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:09.969{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F062C787155723E46EE518DCDE2F6E,SHA256=1E2282239DEFAF9A6FB06B0120413CBA027C890D832826F07815C5584DCBCAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162562Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:09.585{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFAB5ED36AE5F3D0FDBAA8375EBA609,SHA256=33618D656D468C9C11107C343B56FDCFE6F2D30B9B39CD87004ED930B71BF732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216630Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:10.970{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B7EB3148735378DDF89DBE74752123,SHA256=332BF2D69EA50CB7ECC4342D529C264BB487F4B8BD7A8953DCDAD82EE1B514F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162563Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:10.616{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314567FF2FB74725005EE4E0E66A0380,SHA256=C9B31A8940A0CDB43D84EA4A3E40D1888A9D3296B2308EA6677756123F2AF328,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216629Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:08.316{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64897-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216631Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:11.972{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2BAEA3288C6F782152EFE847898FF42,SHA256=7405878DEC7D1599BC567A49DA940E3EB9B0495628E51FA30D1286D1F4815718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162564Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:11.694{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4496310BD10B8586758E32A4ACF7E0F7,SHA256=09FD85A4A0ABE81F4DD53F32EF66E35AEF3C4A2DD4EAAB5D5C9500E30C30C65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162565Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:12.710{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F7E071E1F51EFFC5B8D3DC91B1E55A,SHA256=71DEC1FCDE0C7AF640B18A81A9299A012B70F69B603B8A290C04F9F35BD287D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162566Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:13.710{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F7B2A19D76DD6EB11F5CEE1A817526,SHA256=586B25B4CC5B91BF18B47742AB53BCD714DF42AB68429F5BFF23145009F3482F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216632Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:13.003{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A937E1381E55FE838E2AD8439B0D132,SHA256=977DDE48691C2F8E72E45BF6BE5A790A580826C861A0614AC3851550E1C6B6B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162568Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:12.809{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52229-false10.0.1.12-8000- 23542300x8000000000000000162567Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:14.803{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AE05C2BDB4187E637D422F36FD00EF,SHA256=B1B69C9559FAD3C9ADBB6E3C8DD29CDF5E363646EF36412826F49849352DB5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216633Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:14.004{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5CA17EF16E28F253964CC2E28217B8,SHA256=1DEFD60F380C934C1EC2045FDD6A74D274B983EB03FD535CB97B2D467E1D1B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162569Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:15.819{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3532F1E6FB8965D0B783F4B5ACCC7A2D,SHA256=A3DE55AE4C2EBEF48E4A1B12831578115200EBA6B9011CCF21DE4F1338E17D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216634Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:15.013{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F9C5A09CA6CB99F63D22325092E375,SHA256=9A09599F414337EABBF9D3F23D551C1A42D6065C450A8CB0EBDF24C7B38B3300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162570Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:16.819{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF295E1478F3615F897D879FD8F163F,SHA256=B5A5B94B236AE97EF618A08674411E1214AF25686765FF7753788DA2548F5DD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216636Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:14.214{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64898-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216635Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:16.040{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5304C61AC43A87B3EA974A1541660CE7,SHA256=A5147DE2AD56BB61583132618F61A6C9571C8DC8A9606431B2209AA867075110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162571Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:17.850{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBFB1B2AB5E1E47D34522F20DBC936A,SHA256=5593458945158FBC89A606B33BA2D8AEEC8448BB25F4C22A2352BC341CC32D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216637Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:17.047{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D14D343CEB0667E6E4E36BE98F09543,SHA256=8993DB7C8F838E74A980C1DB44A07F0723726BDE4D7A40566639B66C36F7DA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162572Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:18.850{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AB17F672DA7C6517BCE2163ECB8C5B,SHA256=CA6D6D2D38957FF60309CF99F6372A0F38E098D25F9B2350EFF4486DE050EF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216638Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:18.056{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6175E4D93D19BBC9431A25E9792F25BC,SHA256=E53E8E29345FDDD3C04A42EEDFFC9227C257573F8176E4D46D9340154F78316D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162573Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:19.866{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2E7D39DF24A3D2CB4DF640E3BB2283,SHA256=B283E2EF1D83245AEB1EE562A7FA581A62F70FC82C65A440BEA8136436EA8E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216640Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:19.801{079FE16A-52EB-6116-BA06-00000000E701}6784ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=8897482B10F5E06E48640B8C48D37D4A,SHA256=B8AAE0069FF668F5449868A7817FCEC818F5728499680A7A60CF7A61C393C4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216639Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:19.124{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515FD2E42C360F2F2596F7C33FD9ADFA,SHA256=68C02B6DD826693827EE88E182E07E78505DE8817575B3DB64FE74DD5AE4B4B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162575Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:18.841{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52230-false10.0.1.12-8000- 23542300x8000000000000000162574Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:20.866{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECEF1652F1D0B166D15B87F6158C6C8,SHA256=BD1A5FE521282BE502C02ED96F52426301C2CDE1FD1AEE4E915E5D52B7DA032F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216641Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:20.131{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270422587114CE6A2ACB01CC52FF06DB,SHA256=C175E982DCCF82B567FE11F8D86F67DEE8E6CBB746F8FCEED9A437456C733824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162576Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:21.897{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CD95A281A2C996F609E856D6B929C5,SHA256=25900D69DD2E0D538F9AAD47C78D5A9615C12D30D7CC176D78DBE827AB3A861B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216643Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:21.680{079FE16A-26A0-6116-0B00-00000000E701}6284932C:\Windows\system32\lsass.exe{079FE16A-269C-6116-0100-00000000E701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000216642Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:21.147{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494C056DA421FD99214ED87C48F70A61,SHA256=837349C273E8D213696ED8B74798E1CEFE1A09417E1C0F039B05E55EE5B13793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162577Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:22.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFF9D13D878E5A77D36440935C93E7C,SHA256=1C0EA3F233790D60FA4587856B83E149F90682A5B5538ABEF3B7036447E7A28D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216651Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:20.729{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-414.attackrange.local64901-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000216650Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:20.729{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64901-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000216649Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:20.709{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64900-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000216648Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:20.709{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64900-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 23542300x8000000000000000216647Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:22.694{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F59D5808576A6319A7EBF3DC1D07C93,SHA256=3CB055B03BA74CA31FDEF508CAA74D5C4D792385F2492EFA86E91545405F3472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216646Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:22.694{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0551A9D44B8E2FF923B32A60136504B,SHA256=513BD16BC746DC48FF79B66300DA9A0E2355451A658D7A99D194C3AFC53D56D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216645Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:20.145{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64899-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216644Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:22.157{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA56CBEA4EE0002629BF28EB09AE66F5,SHA256=A7EF656D38E12A0200F97924BAF87A1432432D31A3653FE382335F6920071FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162578Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:23.928{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4D2757E2D97C300C9F575B30843FF3,SHA256=BDAE32AC4F81893CF04AA792E18B0B426920D92E4E0C1691E3D588A977974F9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216654Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:20.807{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64902-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000216653Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:20.807{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64902-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 23542300x8000000000000000216652Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:23.171{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247B4756052487E47BDED8DB49F421AB,SHA256=12FDE87A4410995CF9B70D30C63075365F96903ECC0F83E0BAE109C40D0FC5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162579Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:24.928{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EDA832041EF15646E94584F029F9028,SHA256=736333DE758D6902A32B6758FE82706B9E515E4DC5CECF4C868AC497D12209F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216655Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:24.172{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32D8818938C0B84F508B571EBFEF827,SHA256=6C6A1ABD7C632BA415BB5006D67462FD6B724B93A0BDB4ED770D60D76C433027,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162581Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:23.919{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52231-false10.0.1.12-8000- 23542300x8000000000000000162580Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:25.928{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F87C0B876CE7A2F193F6C83F0F4AEA,SHA256=3421D96D9ED1B5AC174799E56C2FF10C4198FDA75C746393E521ECA77D9E3E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216656Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:25.173{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FBD4ED2D09A0DC498061572DA87A74,SHA256=8D990082CBD381B2D5073C0842DAB5F19A41D6C72E73E8A5EE918306410D8177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216658Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:26.723{079FE16A-52EB-6116-BA06-00000000E701}6784ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-08-13_112619MD5=0FDEBC645F7DF72D3198AEE68C714335,SHA256=01A18BC092AA38314259B1B81F8C25EAA9B5DFB8AEDE884E3F8FA709C5DCBF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216657Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:26.175{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C862242062EFA2EB202DD22ADB77D9E,SHA256=2AAD501AB7668EC8817ACAAD92AFB2D197550A28E08902E88FAB826359DDB396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216665Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:27.965{079FE16A-52EB-6116-BA06-00000000E701}6784ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-08-13_112619MD5=564C2157AF5617B3486AC759C758C5B5,SHA256=153CFE1645FD60C69203CDD221702E49237BFDB9321B2A94DF6D7AB024499094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216664Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:27.943{079FE16A-52EB-6116-BA06-00000000E701}6784ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216663Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:25.271{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000216662Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:26:27.613{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x8000000000000000216661Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:26:27.601{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\44A90C05-1D96-49A2-A5E6-242C78701B1A\Config SourceDWORD (0x00000001) 13241300x8000000000000000216660Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:26:27.601{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\44A90C05-1D96-49A2-A5E6-242C78701B1A\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_44A90C05-1D96-49A2-A5E6-242C78701B1A.XML 23542300x8000000000000000216659Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:27.188{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AE820A03D40842A91FAC08942FBC88,SHA256=595DD5A681094E8F7095027FFB46B4A61B41ECE0D57819298DDBBADBE8E0D4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162582Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:27.006{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430FEB4573D38A0C7B5D9AD4FE915F75,SHA256=6C2D7658FF5F9FDE5CB3032E42C9D107EAA77E54C338FA990E583C4731B37643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162583Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:28.022{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457E42A6BD94335DF7C3CE0C60896499,SHA256=60C09D7E13713AFA8D25E9F927DDD70B19E8C157A7B5029B2C89F773CB418589,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216670Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:26.704{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64904-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 354300x8000000000000000216669Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:26.704{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64904-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 23542300x8000000000000000216668Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:28.620{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A07C949893B3D5EC40D57FDF51ABBBD4,SHA256=E566C766A33C741DB4FABFF14F30296D2D86C8D070C313F5B3C8188A70A795D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216667Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:28.614{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F59D5808576A6319A7EBF3DC1D07C93,SHA256=3CB055B03BA74CA31FDEF508CAA74D5C4D792385F2492EFA86E91545405F3472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216666Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:28.190{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B4126C9150839CD928B35097EB7747,SHA256=70B0ED4A3D5D62A9389F7BF5D317BBA08D4B6C1C33AC73493244EBCD9B75FD77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216675Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:26.749{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64906-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000216674Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:26.749{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64906-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000216673Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:26.741{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64905-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000216672Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:26.741{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64905-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 23542300x8000000000000000216671Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:29.191{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AD8E9E2AE8C8EC05E6F4D98EB1D83D,SHA256=C0B3D52AC76D98D8BC507892BE97BA9F30FDE3C65DFD9FD1360CEE7B258D20A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162584Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:29.069{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECA61F8F59AA5568A7F252B7C0DD674,SHA256=577DC1130579990EF1CB33E2802BDD806C535774BB1BC7DEC934A1BCDAC2CF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216676Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:30.211{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D5571D01C861A4CB35A92CFE454260,SHA256=41362871C96ED4E67B6775D7DAC577BC0E3EC90A703C6D7D8871A11F180FF380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162585Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:30.069{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0851F3095D21AA4D21166471F39F5D03,SHA256=D69E8780AB88A69F768352EFAA999AE0A4A3301CDFBCBD0063AE7D3B2D4E904E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162586Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:31.069{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C02591A437AC5CFC94053D161BF424,SHA256=E1665966E7694A1C974245EB27217FCD942035741ADAA524306E61326E868B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216677Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:31.214{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22653D0FF73E9E8226963336794BFCBA,SHA256=A61454AEC2E03EC4ECA6D7BF055C4838E7DD9083A67B4F3F8EF300EC6858B412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162588Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:32.100{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7D90CA78F9972E585A87B666A26422,SHA256=51EE325607052FFD55D140700FD33E5FD49D7125DFEA549543A901A5F3033615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216678Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:32.215{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6FA100F28B2BC45B8F7D2DD7AC3136,SHA256=0A88DAC497F745B06432560B63ABE2D176466601A87527976713CFB2E20C4627,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162587Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:29.716{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52232-false10.0.1.12-8000- 354300x8000000000000000216681Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:31.140{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216680Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:33.459{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A07C949893B3D5EC40D57FDF51ABBBD4,SHA256=E566C766A33C741DB4FABFF14F30296D2D86C8D070C313F5B3C8188A70A795D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216679Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:33.227{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D2D7FE6D37D9C86291D1B5A599F10F,SHA256=7F83CEAE5B4C4EEDEDF11445AB6EAB220E759898D4D577425A22542CF3F7F64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162589Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:33.116{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B1FCCF3CC57B1CA3E7CDAC9269BF10,SHA256=58CBE6938D2D35E60B4ADEFB8A940F299CBFFEF4E34C484DE837356DA259B745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216682Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:34.258{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED1E529D8C85160921789DC93807C1B,SHA256=977C4FFEA7AAB7027AC41B826978F9E6FDCAE1C61C9CDD415591C3AEADB5C13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162591Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:34.116{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D0A6297FF06DA7BA25709F2C6A77A7,SHA256=9B31BAA7403BC5789CC3AFDE521684227EBAC42EADBF1E5586BC1E178E344C60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162590Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:34.069{C6197713-26A1-6116-0D00-00000000E801}7881080C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1600-00000000E801}1208C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162593Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:35.334{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B97324177BEA87F3BDDB2CF29E38969A,SHA256=2E7FC130E11225E3A98FB54B29349114A3C959442A7706F5F2B51967C5E1AD36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162592Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:35.147{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E650E219AE4F78A40CC31ECF0EB56F,SHA256=5B5598559C04412D72F10ACDBBD2669591654AC3A6BA2A6DEC9C022E0C261BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216683Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:35.276{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058DF94A1721DA17C9E082E8E9C0373F,SHA256=DE8C37B5ED13356FACCD59C17D09FF49B284554FE06F0EE47C6E160816E5B76F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162595Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:34.763{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52233-false10.0.1.12-8000- 23542300x8000000000000000162594Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:36.178{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8DE0657B0315C6780A9DB4E932DA3E,SHA256=B14E606ADA27AC8AAA6D0819E7E613E2FC3EA512C3FE6ED90800BE9207340FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216686Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:36.941{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1DF9AE69D948C65E72182FF762303CDF,SHA256=7B78A72F1E655E09284D0B99FE7DEDE52F6636D19FED49B6ADE622AB04B0D4CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216685Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:36.595{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216684Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:36.294{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7B072157ACD78254907A517ECBC108,SHA256=55A4A083C61328432465EC5A9BBBA5BD874F153EE2E66D0CF5F514034B1DB8CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162596Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:37.209{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC97B69A3DC7576DA12A6FF2B965E31,SHA256=CA9BE625D34FD2C5B8F5E9490B7D98A1F422AE96DC47872F67FBFA345C9FB110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216687Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:37.309{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE6079574E13DB9F07F1F24634F6E54,SHA256=F4AEBE871EC061E426F33B57E8802F14336F24DD9F9EDEB66CB64EA53E910D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216690Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:38.924{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216689Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:36.200{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216688Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:38.340{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83ACE01C697F131FA5BBC8BCAD3FC8EB,SHA256=E7BE21BA18BA5B0CE3A247684B84D963688313F07D68AABEEF40FCC18DC0498F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162597Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:38.225{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F948C1ADAD927704B6A718FE3AEA97E9,SHA256=80195721C184CA8052F79A09EAD420806695181BD80030E79185B9E14ACC0B32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216715Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.638{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216714Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.638{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216713Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.638{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216712Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.638{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216711Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.638{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216710Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.623{079FE16A-2851-6116-BF00-00000000E701}46523240C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216709Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.623{079FE16A-2851-6116-BF00-00000000E701}46523240C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216708Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.623{079FE16A-2851-6116-BF00-00000000E701}46523240C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216707Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.623{079FE16A-2851-6116-BF00-00000000E701}46523240C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216706Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.623{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216705Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.623{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216704Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.623{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216703Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.623{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216702Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.607{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216701Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.607{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216700Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.576{079FE16A-56EF-6116-3E07-00000000E701}67486408C:\Windows\system32\conhost.exe{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216699Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.539{079FE16A-284E-6116-B000-00000000E701}8523576C:\Windows\system32\csrss.exe{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216698Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.507{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216697Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.507{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216696Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.507{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216695Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.507{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216694Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.507{079FE16A-284E-6116-B000-00000000E701}8523576C:\Windows\system32\csrss.exe{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216693Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.507{079FE16A-2851-6116-BF00-00000000E701}46524236C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+204ae4|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+1757a0|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+17c416|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000216692Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.515{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{079FE16A-2850-6116-EC13-0A0000000000}0xa13ec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000216691Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:39.354{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB3073BC617F454F4BB053DE6990EC4,SHA256=D9A3BB09E8739DCE60E6244A72BEDB827FA9E390AC91C1DC1803AE4443D3FD8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162598Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:39.225{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397F0B66827AEFD51E9F00D25250F7BD,SHA256=FBF9CEF79B36C265AE3529AD2385ED333DA2F2279B108270C154A8DB348BE0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162599Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:40.241{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F610EF9852497554C22350BC8AAFAB,SHA256=6C5462EF45F37EAEAB1A7CBF57EA7BE7CFC091891DB761E21DCA60764E7C331B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216719Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:38.049{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000216718Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:40.508{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6376F60E3ED0FDC077583936F81C76A9,SHA256=707D34916D5D1CEA679A4C141F52E6EB1F06D7285A9990C33211B94C2B978FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216717Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:40.508{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEEBCD7317653A5EDBAFEF593F996BC1,SHA256=8AF9BCABE57C89BAA09DCA5F216BD01AF178952AC2DFE23096CC79B08CCA6854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216716Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:40.377{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B54ACEFB8BF9C08218F72BB96226A01,SHA256=6CFDFCEB9829131EF6F9B75B9409D5D5F52E67C78845A059D2DD6C2F0CFDFF99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216727Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:41.593{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216726Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:41.593{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216725Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:41.593{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216724Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:41.577{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216723Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:41.577{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216722Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:41.577{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216721Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:41.577{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216720Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:41.409{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95870101FE7991B8F482993C32925335,SHA256=EC52AF7CD2E15C28131FEFBFA565ABBFD5D0C11E84CC59371530F6C267F914A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162600Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:41.256{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64BC79F5CF2CFDB451A2641B72B13DD,SHA256=34849A0623A471130E211DE242105E2EFF0F4B973E12DCA3D520BEE51071107B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216728Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:42.411{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5F184BD7D6D6A59EA2984D86662A6C,SHA256=507928516CE83D13ED227BD5A22F0D0C267576FD8CFBC56A07CB356029206762,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162602Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:39.856{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52234-false10.0.1.12-8000- 23542300x8000000000000000162601Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:42.256{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E455D3BF345EEEE6B744E51CCD89FCF2,SHA256=032B129C2F0E914BF8BD7AE211562A093E73D401EF9C442C96D6C20B793BCCEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216730Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:41.236{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64910-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216729Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:43.426{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB841A499B103FE1FB76B9FABD168C4,SHA256=8EF1DDF01C1F84ABED18A600C9C93CA5BFAA8B16FE4A4B7A69C581959BC83CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162603Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:43.256{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD909B51A38F0267AA5D497EDD50F8AB,SHA256=53B3E15728AD6D7B86358CDE9B618C29F17B00EEC339786E53C72FA74893B89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216731Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:44.440{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DFA9145E84A991D56F7101D4CD77D2,SHA256=A1E99459FC7389E1D2080DE858FF9550D5ADAEC37771B2A88D640B4E3000F7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162604Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:44.256{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7DD459F455BD144E62E2AE3B253563,SHA256=3CE6252B85CE4EAFDC06ACE69E131B0236A6AA021FB7562DD5935F8688E90F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216732Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:45.455{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A67421668F5C124057409737EAC2B63,SHA256=BC1603FCEDBE61F784641E98FD3992E43AC077F2564D910BDACDF7B993B7C3D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162618Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56F5-6116-3006-00000000E801}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162617Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162616Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162615Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162614Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162613Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162612Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162611Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162610Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162609Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162608Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-56F5-6116-3006-00000000E801}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162607Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.647{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56F5-6116-3006-00000000E801}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162606Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.648{C6197713-56F5-6116-3006-00000000E801}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162605Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.256{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B1F4EBF6C561F6FAE39A17DE426104,SHA256=E82D2557776CAE901C37B9BED3624FBE161980C6CE7245884CCF00008BC301FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216743Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.738{079FE16A-2851-6116-BF00-00000000E701}46524236C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8d9d|C:\Windows\System32\SHELL32.dll+2839de|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000216742Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.738{079FE16A-2851-6116-BF00-00000000E701}46524236C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8d9d|C:\Windows\System32\SHELL32.dll+2839de|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000216741Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.591{079FE16A-2851-6116-BF00-00000000E701}46524236C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8d9d|C:\Windows\System32\SHELL32.dll+2839de|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000216740Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.591{079FE16A-2851-6116-BF00-00000000E701}46524236C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8d9d|C:\Windows\System32\SHELL32.dll+2839de|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x8000000000000000216739Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.554{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-56F6-6116-3F07-00000000E701}2672C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216738Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.554{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-56F6-6116-3F07-00000000E701}2672C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216737Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.539{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-56F6-6116-3F07-00000000E701}2672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216736Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.523{079FE16A-284E-6116-B000-00000000E701}8523620C:\Windows\system32\csrss.exe{079FE16A-56F6-6116-3F07-00000000E701}2672C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216735Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.523{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-56F6-6116-3F07-00000000E701}2672C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216734Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.523{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-56F6-6116-3F07-00000000E701}2672C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216733Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB43FF47C40C16578397A67A271124AE,SHA256=47B136284607B9DE488681E5C71BEA5CB20FD199BA9B88688B8B2AC6F3FC98EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162647Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56F6-6116-3206-00000000E801}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162646Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162645Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162644Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162643Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162642Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162641Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162640Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162639Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162638Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162637Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-56F6-6116-3206-00000000E801}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162636Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.944{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56F6-6116-3206-00000000E801}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162635Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.945{C6197713-56F6-6116-3206-00000000E801}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162634Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.881{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B4DE59F7A02EF29754B86FD60A1F0A,SHA256=CF5202B9CC147AFC0F6AE078BB90BC53D1F34B389D0BDECC2D6B4BE49D0335CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162633Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.881{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C48714C957D4EE151BB123235B8E3354,SHA256=89C9197E0DD7D3CE4AEA1853975B81B826DC1B01AE2B60C03731A54480777CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162632Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56F6-6116-3106-00000000E801}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162631Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162630Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162629Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162628Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162627Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162626Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162625Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162624Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162623Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162622Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-56F6-6116-3106-00000000E801}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162621Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56F6-6116-3106-00000000E801}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162620Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.319{C6197713-56F6-6116-3106-00000000E801}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162619Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:46.272{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9850F9E3B3FA00BDFAE4A6B82C94D08D,SHA256=501163108619762C40D86BEABC488F55FD41812E987AA1A8C8530B0D14F6F19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216753Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:47.553{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D8687A966A9263BAB52CBBBFA39BA30,SHA256=E3F9A869A1B2EDC2446E3452306D0D03CBE132191D3FD5BA56D476AD5671D51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216752Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:47.553{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6376F60E3ED0FDC077583936F81C76A9,SHA256=707D34916D5D1CEA679A4C141F52E6EB1F06D7285A9990C33211B94C2B978FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216751Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:47.506{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF6B2871236E101FA557089D4A8150F,SHA256=F86B38AB1888BF4D91CF82AE9ABD184B4512E05CBC19CC8BE12DB750E2A4C269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162651Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:47.975{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B4DE59F7A02EF29754B86FD60A1F0A,SHA256=CF5202B9CC147AFC0F6AE078BB90BC53D1F34B389D0BDECC2D6B4BE49D0335CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162650Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:45.841{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52235-false10.0.1.12-8000- 23542300x8000000000000000162649Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:47.569{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B042AC7CD5115F7781B27F9BB4D20E38,SHA256=DCEA45D16252F26D9CD244610599252D30ECAF18BBC3A010104E13EC4C966BBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216750Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:47.038{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216749Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:47.038{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216748Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:47.038{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216747Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:47.038{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216746Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:47.038{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216745Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:47.038{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216744Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:47.038{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-56EF-6116-3E07-00000000E701}6748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162648Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:47.116{C6197713-56F6-6116-3206-00000000E801}27761104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162681Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.928{C6197713-56F8-6116-3406-00000000E801}22002540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162680Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56F8-6116-3406-00000000E801}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162679Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162678Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162677Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162676Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162675Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162674Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162673Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162672Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162671Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162670Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-56F8-6116-3406-00000000E801}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162669Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56F8-6116-3406-00000000E801}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162668Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.694{C6197713-56F8-6116-3406-00000000E801}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162667Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.569{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A627E8C7BE6AA7CDB935DDA5F43850,SHA256=11F13D809848641CD6AAEA0EC7D6BFF80C96923F24F3CE53BB00E8DFB246CC17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216775Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:48.508{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07DA74CA6876DD6EEF5288E7DBC67E1,SHA256=652C7BE5C4EB9406CDA111FFAF28160B8765DA714CC7122307224B663D002387,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000216774Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=153CFE1645FD60C69203CDD221702E49237BFDB9321B2A94DF6D7AB024499094 13241300x8000000000000000216773Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x8000000000000000216772Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000216771Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 16341600x8000000000000000216770Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local2021-08-13 11:26:48.208C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=153CFE1645FD60C69203CDD221702E49237BFDB9321B2A94DF6D7AB024499094 13241300x8000000000000000216769Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000216768Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000216767Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000216766Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-DeleteValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000216765Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-DeleteValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000216764Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-DeleteValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000216763Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-DeleteValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000216762Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-DeleteValue2021-08-13 11:26:48.208{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000216761Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:48.074{079FE16A-56EF-6116-3E07-00000000E701}67486408C:\Windows\system32\conhost.exe{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216760Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:48.074{079FE16A-284E-6116-B000-00000000E701}8523620C:\Windows\system32\csrss.exe{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216759Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:48.074{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216758Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:48.074{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216757Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:48.074{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216756Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:48.074{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216755Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:48.074{079FE16A-56EF-6116-3D07-00000000E701}42926316C:\Windows\system32\cmd.exe{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216754Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:48.042{079FE16A-56F8-6116-4007-00000000E701}6164C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{079FE16A-2850-6116-EC13-0A0000000000}0xa13ec2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{079FE16A-56EF-6116-3D07-00000000E701}4292C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x8000000000000000162666Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.475{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162665Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.210{C6197713-56F8-6116-3306-00000000E801}28843160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162664Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56F8-6116-3306-00000000E801}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162663Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162662Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162661Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162660Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162659Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162658Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162657Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162656Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162655Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162654Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-56F8-6116-3306-00000000E801}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162653Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.022{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56F8-6116-3306-00000000E801}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162652Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.023{C6197713-56F8-6116-3306-00000000E801}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000162711Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:48.138{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52236-false10.0.1.12-8089- 10341000x8000000000000000162710Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56F9-6116-3606-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162709Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162708Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162707Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162706Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162705Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162704Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162703Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162702Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162701Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162700Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-56F9-6116-3606-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162699Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56F9-6116-3606-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162698Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.806{C6197713-56F9-6116-3606-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162697Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.803{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D1EAC21BC1B2E82525DE3423C3F6B0,SHA256=B28E5D271447A8116C191B600CFD74763E15E205BAE0AEFCF7913549CE013C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216778Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:49.522{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0523B1699E39DBD304C039AC142CC184,SHA256=76E8C4720A497690690F7E31027CB15AE6A59F1CAB0B0846FB1059D7FCE94683,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162696Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.397{C6197713-56F9-6116-3506-00000000E801}34483100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162695Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-56F9-6116-3506-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162694Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162693Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162692Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162691Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162690Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162689Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162688Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162687Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162686Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162685Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-56F9-6116-3506-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162684Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.194{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-56F9-6116-3506-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162683Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.195{C6197713-56F9-6116-3506-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162682Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:49.100{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98C7F900E3E7E98B0E9A05037EF78C11,SHA256=79085C5E4704F9F7E03BA97B5386D0F3DA04192A44A5A7066A2683FF4938E991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216777Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:49.054{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D8687A966A9263BAB52CBBBFA39BA30,SHA256=E3F9A869A1B2EDC2446E3452306D0D03CBE132191D3FD5BA56D476AD5671D51C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216776Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:46.347{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64911-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000162713Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:50.975{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C88276149A1B9C84CDA45F0CE3C10C,SHA256=356C6E6492ABE4A9132144EF8ABF9B5CDAB51FF993F37105D1162470FC6854D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216779Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:50.522{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408E886E57DE2C61200D5BBE07EEB555,SHA256=560735D526F443973811CD12A45AED48E20F31B4FF931ACBED37089369E2FA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162712Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:50.225{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D26382625B917C53E995578B7F4FB346,SHA256=ED7B6792674DD0A7BE2D1E9E6F9267D1C0C55685EB9376E05556096683AFDB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216787Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:51.527{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B249C9AA37D7217AD6EF8037334973BD,SHA256=73EA1BBC85FA30B033C103092FAADA20F72E3BEBBD4E2BAF6CC68C5595000163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216786Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:51.026{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216785Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:51.026{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216784Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:51.026{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216783Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:51.010{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216782Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:51.010{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216781Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:51.010{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216780Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:51.010{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216788Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:52.543{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7CF0045A7531A98E58817DCDD1BDC5,SHA256=9AAFED1659DE3B0358EC1BCCD0E4BCD6007B07DE81C3436D9E5C42236546A067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162714Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:52.006{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26D64EF322DE5800B18079317CC62B2,SHA256=AC5962164BFA1E709C9AA02EDACB296A146FD476411959DA6BB67A63963EB517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216800Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.571{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52CCDBE6A8C8B60753F9DE376187CED,SHA256=F1C462698EBC0C4D07161A98E18F833A1C5AE18D69E99344FFBC7C6ED8206BB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162716Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:51.763{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52237-false10.0.1.12-8000- 23542300x8000000000000000162715Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:53.022{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D3344AE420E1CCE8936102C8B15A8C,SHA256=680082FBE9AD997FC75B1844F0DCDC6846D739207B50EE7BE0A8DDD015608B30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216799Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.527{079FE16A-3DEE-6116-CA03-00000000E701}57366588C:\Temp\release\x64\x64dbg.exe{079FE16A-56FD-6116-4107-00000000E701}6948C:\Temp\Akagi64.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9404|C:\Windows\System32\KERNELBASE.dll+c7125|C:\Temp\release\x64\TitanEngine.dll+36012|C:\Temp\release\x64\x64dbg.dll+64aa5|C:\Temp\release\x64\x64dbg.dll+58f0e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216798Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.527{079FE16A-3DEE-6116-CA03-00000000E701}5736ATTACKRANGE\AdministratorC:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64MD5=1740DB24E17622218EAE04A91ED10F99,SHA256=62A7FD4EE533FD8D272F19E8C810F514BCCC54F3BC0BBAFE5966A863E48FB0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216797Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.511{079FE16A-3DEE-6116-CA03-00000000E701}5736ATTACKRANGE\AdministratorC:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64MD5=D7D274F17ED5451F515F5B2A309FEEA9,SHA256=334BDD21521F9F155121731452DFCCBE4310EDE81D6CEA857066A2F91B2CAA7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216796Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.496{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216795Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.496{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216794Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.496{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216793Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.496{079FE16A-284E-6116-B000-00000000E701}8524440C:\Windows\system32\csrss.exe{079FE16A-56FD-6116-4107-00000000E701}6948C:\Temp\Akagi64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216792Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.496{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216791Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.496{079FE16A-3DEE-6116-CA03-00000000E701}57366588C:\Temp\release\x64\x64dbg.exe{079FE16A-56FD-6116-4107-00000000E701}6948C:\Temp\Akagi64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Temp\release\x64\TitanEngine.dll+12231|C:\Temp\release\x64\x64dbg.dll+645ed|C:\Temp\release\x64\x64dbg.dll+58f0e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216790Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.507{079FE16A-56FD-6116-4107-00000000E701}6948C:\Temp\Akagi64.exe3.5.5.2103Pentesting utilityUACMeCD Project RektAkagi.exe"C:\Temp\Akagi64.exe" 43C:\Temp\ATTACKRANGE\Administrator{079FE16A-2850-6116-EC13-0A0000000000}0xa13ec2HighMD5=F03583F682E76157FB79CD46338219EF,SHA256=F8A6A7F8D929CE2403771039AFB44E74A616C261498961CBB358B56C36B79EDD,IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe"C:\Temp\release\x64\x64dbg.exe" 10341000x8000000000000000216789Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:53.496{079FE16A-26A2-6116-1300-00000000E701}8283468C:\Windows\System32\svchost.exe{079FE16A-56FD-6116-4107-00000000E701}6948C:\Temp\Akagi64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216803Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:54.619{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCC65986A3792D3181102C98EDE4E0D,SHA256=435BACB0B4E99614420D80457F8B0E89FB3CCA5DB806F40D01C72D0BC290BE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162717Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:54.022{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8B68C49E28E38A2321CECE86B29F6C,SHA256=5E9EB076ADA7C9767A19324E147D2948232F6A81301C0E81DD9CB3F109C89F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216802Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:54.503{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B030DF9F3DD7786086D8EFEC544C31A7,SHA256=A0432A90F79112CE69E6C44ACD66BE7A66B9E5D303B44E02035167132C56EA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216801Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:54.503{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1EFDC2514E6C1290968CADBCE43E077,SHA256=9B2670AB98660697F7A3D2769A11A860BE280A5FAB7F4C092994E151E648CB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216805Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:55.649{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09315C6E1DCA19E8403ADB076831C938,SHA256=DAA3D3C5E5F8BF7F778D0F056CD1EE372F1090659D2255C77AF41E306A5842A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162718Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:55.037{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B645239D8C88884C7E13728472C3945,SHA256=0CE18CB1E4255098B3AEB370D51E5F17F90933BE7D7541B0B46A31718E6B0961,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216804Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:52.221{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000162719Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:56.053{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57FD29FE089EA522F16C4C7A20F357A,SHA256=58D2F267AA852373BD428B49605879CBA93C8949B5326522E9F18DAE5C18E635,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216845Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.584{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216844Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.584{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216843Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.583{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216842Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.583{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216841Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.583{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216840Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.583{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216839Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.583{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216838Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.583{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216837Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216836Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216835Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216834Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216833Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216832Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216831Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216830Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216829Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216828Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216827Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216826Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216825Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216824Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216823Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216822Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.582{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216821Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.581{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216820Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.581{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216819Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.581{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216818Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.581{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216817Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.581{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216816Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.581{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216815Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.581{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216814Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.581{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216813Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.581{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216812Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.581{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216811Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.580{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216810Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.580{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216809Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.580{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216808Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.302{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216807Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.302{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216806Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:56.302{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162720Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:57.053{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DC738BCD400B419BBE2D3F27EECFC5,SHA256=B95ECF25559066FB0629B2EEA76FA6D1298A13549134DEFA91F974A5DB172CA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216849Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:57.900{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216848Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:57.900{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216847Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:57.900{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216846Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:57.064{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF511723EE38DFB21F71BF193566F094,SHA256=59D8C8742C8192B8FE77340C4ADF5A2A7240DADB81629CBA8750C57B4A9C695E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216850Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:58.084{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC51B4CC353F47DD11276BC8B8EDC1A,SHA256=286E6CE34C7D6706936C4BA71AAA405783A8530BEDA1674AA716260ED1F932E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162722Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:56.826{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52238-false10.0.1.12-8000- 23542300x8000000000000000162721Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:58.069{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42657223F91F35D2F185708EE0C04532,SHA256=CC7FD53FD406B350F29B6C62E99FA8B91C901C49752A07C22CDEBCFD1063575F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216859Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:59.799{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5703-6116-4207-00000000E701}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216858Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:59.799{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216857Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:59.799{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216856Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:59.799{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5703-6116-4207-00000000E701}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216855Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:59.799{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216854Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:59.799{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216853Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:59.799{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5703-6116-4207-00000000E701}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216852Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:59.801{079FE16A-5703-6116-4207-00000000E701}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216851Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:59.100{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FC1C050FEBE9024CD050BCC38D7BDC,SHA256=14C7CA199E7C958CCE1D1AD9BEC612BBDBB2E043F34A51510635A42FA8E7B41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162723Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:26:59.069{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E442411C2A4A194FC87AF96ED4D7670,SHA256=C9D44915005AAFB9E8F335F907FEE0346431FD0FDA3CDF236BFEE88A900B26C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162724Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:00.080{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB589C5887FDDCE36BEAE0407B2C275,SHA256=ED18F98248D6CD433F69D53F3CBA6FCB3C74BC3B88ECD4B574C75727A329F5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216872Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.800{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A563F7BDE9CE78327FBB757DA1F47F31,SHA256=A92810B60C5CA04F19F42DB5A081B5C3E75F10B73C2490AF227A2FB07CD7F7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216871Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.800{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B030DF9F3DD7786086D8EFEC544C31A7,SHA256=A0432A90F79112CE69E6C44ACD66BE7A66B9E5D303B44E02035167132C56EA83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216870Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.462{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5704-6116-4307-00000000E701}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216869Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.462{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216868Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.462{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216867Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.462{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216866Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.462{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216865Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.462{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5704-6116-4307-00000000E701}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216864Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.462{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5704-6116-4307-00000000E701}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216863Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.464{079FE16A-5704-6116-4307-00000000E701}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000216862Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:26:57.288{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216861Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.162{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA70E2E94539DD25C2978F7B507FD5D1,SHA256=81BE05FEBD737C392AEBC5D70876F03BA240F4D92DDF5D6DDBE294152F4A5BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216860Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:00.031{079FE16A-5703-6116-4207-00000000E701}18241328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162725Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:01.092{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C5A468E70A885AB26EDAA548DA9B85,SHA256=FF2897E9A76BBD4EA8356BD35E5B24C65532FF61088775AFCE124CF2255207EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216883Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.199{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F264A526B65977D88478EA2E3E1A0C78,SHA256=0ED511F2EB3C4CA7A5541DB283FE41368ADF8ACF83D82D7B0A4AC4D4D94F1BC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216882Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.131{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5705-6116-4407-00000000E701}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216881Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216880Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216879Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216878Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216877Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.131{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5705-6116-4407-00000000E701}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216876Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.131{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5705-6116-4407-00000000E701}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216875Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.132{079FE16A-5705-6116-4407-00000000E701}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000216874Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.015{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-56FD-6116-4107-00000000E701}6948C:\Temp\Akagi64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216873Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:01.015{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-56FD-6116-4107-00000000E701}6948C:\Temp\Akagi64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216885Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:02.230{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38D6D42BDCABDCBEA6FC337B315168E,SHA256=51B1A9B9868087377669EE8F1838339B7D060AB6A0091FD982CA1AB689623464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162726Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:02.094{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3633AED7944F552B141144FA3DF2D8DD,SHA256=8E69E553978836C4F5876CECD4C44044C9B500B9A88AF380E284EFAF55A11B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216884Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:02.161{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A563F7BDE9CE78327FBB757DA1F47F31,SHA256=A92810B60C5CA04F19F42DB5A081B5C3E75F10B73C2490AF227A2FB07CD7F7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162727Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:03.110{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F8623B866B481EB6171A9EE659AD68,SHA256=604ED9A57DE1D4E88BC53125E524009A7D4DBFD9B115D09BF69A33EF3EBA1586,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216895Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.881{079FE16A-5707-6116-4507-00000000E701}58885348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216894Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.659{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5707-6116-4507-00000000E701}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216893Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.659{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216892Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.659{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216891Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.659{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216890Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.659{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216889Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.659{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5707-6116-4507-00000000E701}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216888Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.659{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5707-6116-4507-00000000E701}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216887Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.661{079FE16A-5707-6116-4507-00000000E701}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216886Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.244{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EB7528FB9568335892376B65694B13,SHA256=D2FFB278FDD5CF1170ED974E0E28531E39DB2C1FCC806FF612BAA58B877013F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162728Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:04.110{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229A76E3E031C4F3D0449E490BF4CF04,SHA256=24BD75AC318C181250DC1DBF0756F984B39A44EF619E2DB138BE2F49166018F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216914Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.881{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5708-6116-4707-00000000E701}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216913Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.880{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216912Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.879{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216911Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.879{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216910Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.879{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216909Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.878{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5708-6116-4707-00000000E701}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216908Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.878{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5708-6116-4707-00000000E701}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216907Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.876{079FE16A-5708-6116-4707-00000000E701}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216906Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.697{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEA2B4C9AA0189B327441C462DF33D0B,SHA256=4F75533A3820C0B1D8E54021AC4599A8256816A8B7554B7EF178B75875511B09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216905Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.528{079FE16A-5708-6116-4607-00000000E701}70006600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216904Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.280{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5708-6116-4607-00000000E701}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216903Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.280{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5708-6116-4607-00000000E701}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216902Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.280{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216901Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.280{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216900Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.278{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216899Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.278{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216898Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.278{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5708-6116-4607-00000000E701}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216897Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.277{079FE16A-5708-6116-4607-00000000E701}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000216896Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:04.259{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B8017086BAEADCAD197EDEE094CE06,SHA256=8139D0660C1F54893A006C58F180762252A4AECD214D6E70ABA717B0017D337E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162730Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:05.126{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50142F962AF0DA831C28BE44C7B9462,SHA256=25AD88B0DCE4887156035DA65C38981D5783A45D28E2C3717C5A9CBB281C3141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216927Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.897{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9E6EE2B85052F27BC9B96BD1CF9F24E,SHA256=6699294A613465500E12C8BDC402B6F4846C7401EBB1A4890CCFB167D6DED207,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216926Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.659{079FE16A-5709-6116-4807-00000000E701}46606276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216925Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.481{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5709-6116-4807-00000000E701}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216924Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.480{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216923Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.480{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216922Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.479{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216921Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.479{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216920Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.479{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5709-6116-4807-00000000E701}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216919Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.478{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5709-6116-4807-00000000E701}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216918Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.478{079FE16A-5709-6116-4807-00000000E701}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000216917Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:02.884{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64914-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000216916Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:02.884{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64914-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 23542300x8000000000000000216915Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:05.282{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EA1B585C5815D962BC457BDFACB58E,SHA256=8D1313B5017699E0B26D50E8608007DF01E813CE7141F0270B48C5AA62E7EA5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162729Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:02.773{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52239-false10.0.1.12-8000- 354300x8000000000000000216929Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:03.283{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64915-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216928Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:06.312{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E33E7B62F823266680F3E76A1B25E5,SHA256=4A03D323BDCB9F116618A95BB381441343B97DDFE3FB7C8AA3C2FD98DBDFF2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162731Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:06.126{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFC5A274B89D930589F15F050654E8B,SHA256=49913CD2125D8AD66085D14B4792530130BF4B30982B81B207D570EE9B294DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216930Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:07.327{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B458872B1A030DD01500CC63914154AF,SHA256=A6AB041A84F1413C0D6EB7F5161E2A7618283DB63CCC811CE70F29CEAEBF2406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162732Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:07.157{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF62952CDED3472B57AF4B072330CDA,SHA256=E4D3B83A844221FB1F20BD9F8B562B48DEF4AB958906E546D9D2054CACE5C399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216931Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:08.342{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F47EBED9044166B7949F5FFD0C43036,SHA256=FCD72F73E4E7D4F6B29B2E630E93ECC1E30D8114E50172B84C97DEE9080292B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162733Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:08.204{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AB05FB8EAC16FF9C7A09347828B73A,SHA256=E474FF997A7A44A1850E3FB56D587695B90328EF52AA2000C4AECBE89D159A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162734Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:09.219{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355376B5B2EDBEE91280BD9476C58637,SHA256=B10FBD1F76E446CBED49DC1635B39875A54CD85D7D0455161DD5961F809221F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216932Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:09.357{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538AD7559C8A9B4DADBB068FF59C19AF,SHA256=57D7898D81B03E67F0D96A1759C8204A0E7C81C9FF45335EAFAC5DF3B008D023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162736Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:10.251{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3772993542DA793DB5E957E3F7FD9E,SHA256=6182D7BA196EBC69FB2D28D5DECC9F6D0551A4F8833FD02B23420657460F93E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216934Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:10.358{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DED0B7BA1ACCA6AC8B96B3B24146F1,SHA256=2DE759519856B555C1778E3CDEAACE0C886D590F12E0ECF0FB40EF2FB078983D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162735Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:07.930{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52240-false10.0.1.12-8000- 354300x8000000000000000216933Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:08.298{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64916-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216935Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:11.358{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F892301E840AD1394EA242862D85E9,SHA256=63EC2BBEAAEBD7F58C346E8F04CDD710F3E196AE33DB3F24EB6D3E529CB059FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162737Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:11.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898EC4283544E14B9D24751E3309F7E0,SHA256=866FD718A164F98CABD9D9A32BE5326E03947D23AE06B27127BD455A347ACD0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216936Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:12.376{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D3D7E5277C0917F13263C166B4D2A4,SHA256=1ED2823922360BB2F34CE802EB3C7DAC6FB31ADE3EDC5CFE8FDB4C6E4A6C8988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162738Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:12.313{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD8893A142BBBC2BDAAA9C3EF139E34,SHA256=C651B213D5855663A48CBFF7CEC932FF935CFC97DD6CF0AF7658A58904BCD693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216937Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:13.442{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1925407459DD0EB541F0CC6DA3BB7C8,SHA256=4F5B7CA25ED2A6A2E2511E1DCF719F789A071A5E3012895BBF22565AFD0F9066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162739Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:13.329{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F16620A2B589DF3B5FD577E8E060ADA,SHA256=E6EA49D694FA58E8A1863FFDEA38ED749BB6870EE63D80A0BA4BDAA9236B9CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162740Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:14.344{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767BD8FA8B04DBFF06B241D042CAB28C,SHA256=E3313D9A579DB2A3F9F530D34C1B3AA263E68C68AFEF2E2BF75B2C1DD0FCFE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216938Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:14.457{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A632D8B652CED1613D7318D3B5CDF588,SHA256=175D98538FCECB881398B1597021A40493E6929F417D471C755C90978AC48E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216939Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:15.461{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E10A71C811F202E869C2D0C249DD0BD,SHA256=615581DAF60E376B972CB1BBF4AB0CB1EE5A0708DF6F4F26B3B2A2D9688BABEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162742Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:15.344{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40860CA06AE951AAFA3036F157681650,SHA256=87833F262E0DE767D7D632C110BC0DDAB1EC19B6DC58C7C72DC4F90DE5115244,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162741Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:13.727{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52241-false10.0.1.12-8000- 23542300x8000000000000000216941Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:16.475{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD675B59974D097E75E418942078F53,SHA256=2BEAD70238F4A408F6F6D9FDB8A84F908EFDFA46DA336D1FA3013928FE9E744C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162743Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:16.344{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C24DE670CBEB3D0ABB0F50DCB9C57A8,SHA256=5D6CA839EAFE5BC72515469D694D93E770CED0122BEB4356750244A78466FE58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216940Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:14.281{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64917-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216942Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:17.492{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E90F546CCF947ECB8982BDE547FA381,SHA256=590821AB8A6D34EA0639702B8225C31D562466A2BC9532550EA2AC37703E4294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162744Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:17.344{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ABFDD88A39A2AB2DC2B6802B84922C8,SHA256=34F4FBB4939AF93B84AC2BD009E394AD6A433100959DFE91A17425643378C228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216943Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:18.523{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EF435306D241CC21C7A67AD93CE54E,SHA256=1C3379FE8244FCAB8FB386ECD35171BF0A4E75BAB42FA9CD024933684B1D44B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162745Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:18.360{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE860F60A37C6BA91338A1D88235B734,SHA256=95F42E2F23DF5B96A2570A35433C79F97E69761B440D014528801BB0CFB67DCA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000216968Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.973{079FE16A-56FD-6116-4107-00000000E701}6948C:\Temp\Akagi64.exeC:\Windows\System32\colorui.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Control PanelMicrosoft® Windows® Operating SystemMicrosoft Corporationcolorui.dllMD5=558DA7CC480311B5AF2F13DA91E2DC39,SHA256=9F66294E22E4B32483D9FC6AEA56216803F03969AFFDB3643F7720B3804AC0F6,IMPHASH=61F27E1FF45E83BF795C1847DA52F9AFtrueMicrosoft WindowsValid 734700x8000000000000000216967Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.937{079FE16A-5717-6116-4B07-00000000E701}4980C:\Windows\System32\dllhost.exeC:\Windows\System32\colorui.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Control PanelMicrosoft® Windows® Operating SystemMicrosoft Corporationcolorui.dllMD5=558DA7CC480311B5AF2F13DA91E2DC39,SHA256=9F66294E22E4B32483D9FC6AEA56216803F03969AFFDB3643F7720B3804AC0F6,IMPHASH=61F27E1FF45E83BF795C1847DA52F9AFtrueMicrosoft WindowsValid 10341000x8000000000000000216966Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.921{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-5717-6116-4B07-00000000E701}4980C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216965Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.921{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-5717-6116-4B07-00000000E701}4980C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216964Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.906{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-5717-6116-4B07-00000000E701}4980C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216963Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.890{079FE16A-284E-6116-B000-00000000E701}8524440C:\Windows\system32\csrss.exe{079FE16A-5717-6116-4B07-00000000E701}4980C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216962Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.890{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5717-6116-4B07-00000000E701}4980C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216961Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.890{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-5717-6116-4B07-00000000E701}4980C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216960Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.890{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216959Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.890{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216958Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.853{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-5717-6116-4A07-00000000E701}1876C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216957Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.853{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-5717-6116-4A07-00000000E701}1876C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216956Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.837{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-5717-6116-4A07-00000000E701}1876C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216955Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.822{079FE16A-284E-6116-B000-00000000E701}8524440C:\Windows\system32\csrss.exe{079FE16A-5717-6116-4A07-00000000E701}1876C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216954Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.806{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5717-6116-4A07-00000000E701}1876C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216953Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.806{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-5717-6116-4A07-00000000E701}1876C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216952Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.790{079FE16A-2850-6116-B700-00000000E701}41045600C:\Windows\System32\RuntimeBroker.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000216951Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.790{079FE16A-2850-6116-B700-00000000E701}41045600C:\Windows\System32\RuntimeBroker.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000216950Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.775{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-5717-6116-4907-00000000E701}6624C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216949Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.737{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5717-6116-4907-00000000E701}6624C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216948Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.737{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-5717-6116-4907-00000000E701}6624C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216947Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.737{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216946Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.737{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216945Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.722{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-56FD-6116-4107-00000000E701}6948C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000216944Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:19.553{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4D197C6D4B8D0CF21ECE9294733DCD,SHA256=03AF1A50AC2AC5963AF10DB45F0C0AE061CA836ACB14A516A1588C51014A96E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162746Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:19.360{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F6DD8C3A05F016552FBA15A4FBB354,SHA256=FFB5A60DA6AC64CCBFFE5B098873BF7F38811CD6D04F5E1F0440A144EEF2A788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162748Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:20.376{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C0DE7E0365AC61944A8988CF14E2A5,SHA256=729529465A9C9B552968F295BBAD307D9F224D4E161D0493D8DEC6C74F991063,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000216994Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.237{079FE16A-2851-6116-BF00-00000000E701}46525240C:\Windows\Explorer.EXE{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216993Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.237{079FE16A-2851-6116-BF00-00000000E701}46525240C:\Windows\Explorer.EXE{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216992Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.237{079FE16A-2851-6116-BF00-00000000E701}46525240C:\Windows\Explorer.EXE{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216991Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.221{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-5718-6116-4D07-00000000E701}6008C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216990Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.221{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-5718-6116-4D07-00000000E701}6008C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216989Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.205{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216988Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.205{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216987Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.205{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216986Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.205{079FE16A-2851-6116-BF00-00000000E701}46526640C:\Windows\Explorer.EXE{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216985Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.205{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-5718-6116-4D07-00000000E701}6008C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216984Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.205{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-5718-6116-4D07-00000000E701}6008C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216983Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.205{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-5718-6116-4D07-00000000E701}6008C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216982Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.205{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-5718-6116-4D07-00000000E701}6008C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216981Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.174{079FE16A-26A2-6116-1600-00000000E701}13003556C:\Windows\system32\svchost.exe{079FE16A-5718-6116-4D07-00000000E701}6008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216980Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.174{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-5718-6116-4D07-00000000E701}6008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216979Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.152{079FE16A-5718-6116-4D07-00000000E701}60085360C:\Windows\system32\conhost.exe{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216978Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.106{079FE16A-284E-6116-B000-00000000E701}8523576C:\Windows\system32\csrss.exe{079FE16A-5718-6116-4D07-00000000E701}6008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216977Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.074{079FE16A-284E-6116-B000-00000000E701}8523576C:\Windows\system32\csrss.exe{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000216976Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.074{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216975Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.074{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216974Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.074{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216973Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.074{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216972Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.074{079FE16A-5717-6116-4B07-00000000E701}49805260C:\Windows\system32\DllHost.exe{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000216971Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.074{079FE16A-5718-6116-4C07-00000000E701}7020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Windows\system32\ATTACKRANGE\Administrator{079FE16A-2850-6116-EC13-0A0000000000}0xa13ec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{079FE16A-5717-6116-4B07-00000000E701}4980C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} 10341000x8000000000000000216970Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.053{079FE16A-26A0-6116-0B00-00000000E701}6284932C:\Windows\system32\lsass.exe{079FE16A-5717-6116-4B07-00000000E701}4980C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216969Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.053{079FE16A-26A0-6116-0B00-00000000E701}6284932C:\Windows\system32\lsass.exe{079FE16A-5717-6116-4B07-00000000E701}4980C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000162747Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:18.820{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52242-false10.0.1.12-8000- 23542300x8000000000000000162749Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:21.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8729C1985F140F3F3A1E018B9EBF74,SHA256=ED9CDA68E3E4AC9BB2CD8F7E517492A3A36F7FEC430CA901D04B5DC000786696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216997Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:21.052{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A7BCD07A46980AC3215253337F01751,SHA256=8EFDF7CE4A48D06891B0153A1AD677C648A9F6D72C79535065F734F554C985E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216996Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:21.052{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26821ED5366A8FC69121042E8CED4D30,SHA256=C3F19CF1B5DA37430BDE9E897479E0C887AF50253E7E9E14E0C68236EBC3FDEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000216995Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:21.052{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC07DB8B40278B2C08A936D683352F5B,SHA256=14F0AE97D80FE8F5F260E7FC3B772F307216286A57B959DB60634F134E476B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162750Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:22.407{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46C86F3513169C8EC01F749D5642F61,SHA256=2F30BF5CCB6F1F85AE56E0C87C235433C512D280D8BAC8D034EE949446BCA342,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000216999Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:20.293{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64918-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000216998Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:22.072{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FCAF448CF4221DF5478FB1ED229B78,SHA256=4856CF7B0AAA4D9C648DDB4043E030DC2C85BD8847E5C7FA65120175F8301D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162751Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:23.407{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD35E4C9AF6F8249A977D56899657FC,SHA256=57DB039281C930560071B004428A0FD216BB5F86FE13425BD54AADD8199225DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217000Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:23.091{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69C1228C94B5E04891F22D868D19BF3,SHA256=6C9C56090DE5BC424FED2E319050D685D2561950C7DCD8006689858BA56BCC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162752Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:24.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC94D27C785381057EC1400E4339BDE2,SHA256=42E43EF5F8B19A5DE09D0B095C9D9143A3656C486B8C76D2DB23F4C506A6A51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217001Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:24.093{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73D67C9259D7D75B6B05966B84855ED,SHA256=D13A77C0EA7A236B6AECA7E67E763E66797AA1933D3447AAE9FA078595103A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162753Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:25.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE13FEC4D11210344D05FC37AEB2B54F,SHA256=3EF32ABEAC89685FFE050B8A5FFDF671ECD681A95597B4D46DFE58743638C2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217002Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:25.108{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307B418B384FE5587703E2D0307C3358,SHA256=52EE3A343F8FFF6FCF36E175AB2064D81770EE35DE500F8E9C1FCD1123B3A182,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162755Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:24.852{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52243-false10.0.1.12-8000- 23542300x8000000000000000162754Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:26.516{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2975CC936D43465DC006E4154DCBDC29,SHA256=F4BAABFA41C4C7CE16656C3DB95676D6F68C79004CF6BF835B0D32BD7EA9D41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217009Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:26.555{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=518A5755694D138EC5BE4B46C571CE98,SHA256=D4C07F685C9AD80C87C9A144025882DD0086534A6F6C95E8F7BD1C4797E9BE9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217008Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:26.555{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=CA57E84E9D537DC800C22FFA5D352FA0,SHA256=3F9DB84E3B6FC21A43588DAEED6A95918B7538EF1AA920711FF8B2AF5CE1E05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217007Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:26.555{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=4CCAB49D431F39E82EC67E4AF6FBC51F,SHA256=218A80257BC237809CC872C4927EC0C74C3ACC35AC07F765FA82659BA1607524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217006Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:26.555{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=650FDD7D3009E1E24675D5CE57DEE090,SHA256=299AA0323104C92FCF11A1C0B139CE440534E0CAB73D01A7D7C8C19EFB7A1CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217005Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:26.555{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C516C8EBDB16F716652DEB877AE48489,SHA256=14D456AE8ABC52D6BD44320EF260BD212EE540088FD926FF84F3CAB8DA876CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217004Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:26.555{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C2EABDFC555E93B08185A9D20FED9F5F,SHA256=8764042D5D8BF711B4FD640275AAAD423CD8FEF1C9D8951C9639FCB5A43B7E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217003Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:26.123{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046793447774481B2AED321A64B5D89A,SHA256=DAB8189598577966231B6A8AAF85CDF41A71FA0B4A3B390745FF03CF914DAAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162756Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:27.516{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686C2457EDED1345EF371D19450D0814,SHA256=3592AE1C2C6217A104C5F307BB3665D3E64693D70DE6A2930A4D2D2B1E91CB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217010Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:27.123{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8204DEB9CCDAC5C305489B45F0086B65,SHA256=B9C7795E2A4145B4A1A44F613AE997057EB6ADD84CA1DF54324A85D4680ECA17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162757Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:28.532{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94090FB4F55C81FE2F062C66D29DC3BA,SHA256=892276B0F6D9796D8047E6B05F63DA181FF9BF5B750CD2749018FC0A1E213201,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217012Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:25.348{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64919-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217011Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:28.153{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209DCBA5238011FD17FA3AC02E8311C7,SHA256=CDAC581C7337A3B2D983D109B96E81DDC5667B7EFB553CFB47C9D841237A9B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162758Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:29.563{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D30901D23683E46431140FD66BC6206,SHA256=AA9C40FFBD04F9F1E45E2A58A5518869C5B404F5F19B8EBC0D757D38F5479952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217013Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:29.155{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D7902FBF34F492669F64531DB3F8BC,SHA256=B98CD0B45712A04452B4B82E91BC3748C7CB127DA78AF0E3AE060976441ADC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162759Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:30.579{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BD4D0783ACEDB1FFF1B4CEFA794681,SHA256=D32D3ED8D6A44BEBFDECA14E01BB99E7A8A5DC0A5D396FF538D58B9F1D994B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217014Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:30.191{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DE52A88282B4D824B0603CA45EF2B3,SHA256=FC89B222FA4E039C44404C1DA8099A9FF91DD3A4037D428F3B68CDB108109594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162760Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:31.579{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA74A227C6D95EE85B6B974353C69327,SHA256=0EDC5D55E37605DCF7B4935B21D929EAC41F792C9F02C2891610461A3DE9F714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217015Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:31.238{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C425549940028E37CAE85588F76828,SHA256=FF08D7EBA281B5B493E7005F35DC4F6D4EEF58F7D3CDF1AD8FA3AABABB8655CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162762Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:29.914{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52244-false10.0.1.12-8000- 23542300x8000000000000000162761Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:32.594{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF18CAAFF26D891C517531A2E74087C,SHA256=B68222DA9D9335D409EE842CD8AFF7E41DD86E20B6B418E2BA3350C4BEA8F34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217016Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:32.321{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8EF73BA8B30CA3A3B2EE460FB4B89D,SHA256=4D9D92441139C4BDC57E5711355B740025529F0DC7D707022A43932D6AC93D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162763Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:33.610{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B12AA2A7A84DE8B3392A5FA8105A98,SHA256=F18FE8F0B26429F3332D94969A59FAE66076DAEF42185A50FAA9FF079865EB3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217018Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:31.215{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64920-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217017Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:33.336{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649A47A058780565F6BFC57EE871407B,SHA256=091CEB828BAEBB2B54AFF4879E26688499FC06AF0ACA2A385A2A09387F7BFA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162764Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:34.641{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CCA3816F275E04F62AA8A8B384E2AA,SHA256=A7E47BA04AE0272784C0618C2F823240DBE1F9618631D3CD2071C50D3DEC89B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217019Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:34.351{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9542E479EADFF861EB2942010AFA4BB5,SHA256=3E2F87CAB8C0AC3EB3CFBC0DF9413A0AB5E7BA9817F45AE5B5B9BFDEE83990D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217020Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:35.370{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6853B978C49B64042AA83E58AE338063,SHA256=21FA59C521D755D6056B79929B304AA710CCC088643765AF118E1D41BFBA7621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162766Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:35.641{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFF6828C13B153C8A5FFFD41431CA99,SHA256=D05AFE0153ABBC8C88B2283088C58A7CE5C47F2EC26EF82863FF38B631852F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162765Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:35.344{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=00E85060A33A3F21B3ABF8F390F4FE23,SHA256=0F3933D9571F645E5B645D196AF5DEEAF1538DCC5C9895642AAB9AE35398A894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162770Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:36.922{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162769Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:36.922{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162768Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:36.922{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162767Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:36.641{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E9D53030B11F79A2A0BF11DD0E79BD,SHA256=31827C15BD503E34EDF48E8E860BDB95FB7C9D8895D0F512D60627B5058D919A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217022Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:36.949{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F593A328F6294227DC7FECF5E0CDAE24,SHA256=E1D25DAAB82FFDCFA5DA9C5554FB9685678CEC6E03F4C4FBCB2649812BF1247B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217021Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:36.387{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6285F7F29936E07C988D7201857B35A,SHA256=FAF0919D720104BC9ED3C70232BCF683BF74B545D1715C49510ACB112E8716C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162772Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:35.727{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52245-false10.0.1.12-8000- 23542300x8000000000000000162771Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:37.704{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A6BF5648DD233F77A225156A7B6E03,SHA256=3A7B28738CD1F5DCAFD8483D36002FB1DEDA958D99357AC98C75B07824F14371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217023Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:37.417{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAC1F9DD4F60F9315721D86914CA328,SHA256=9B1CB33F109B3CD7DB692D54AB54E8BF4A430D770BEFE21DCA6091229DDCBD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162773Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:38.766{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AE44FCDC2CD304C52FA6A8A8AE5043,SHA256=E22ED888D7D3FE20237D8481864FBFCD81E1A84A08DD011CBB21F4748553FC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217026Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:38.947{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217025Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:36.311{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64921-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217024Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:38.432{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29942DD05B45E1CA5F11A403E50BA13,SHA256=85FA984D35D9B68A8E98703E998E9593EC1E07838A06CC0ECF5C967FFBF100BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162774Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:39.797{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A3C22B7B05E9717FA1252B9E3A21C1,SHA256=5FBCA6FD4B3F18762031B350E1D72E902ABB15482DF624C303C7A9A92E6BE671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217027Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:39.446{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C84C43B9F65EA60F9FFBB0E97516E6,SHA256=2E46FFBAECC7673AE197ABB8BDDD3EE73DD659638A3F76FDF36D812A445F66D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217029Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:38.056{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64922-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000217028Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:40.467{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECE3DACA80B6A133ECE7572D89748A6,SHA256=57D92164B2D699ACDE0EE2AFBB1C52D3199FE90965EDFFE7BB147268CD390C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162775Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:40.829{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B54E24C3AC027589E7FCDD1D4A3D5F7,SHA256=C4B3625365FCD70D9F7078B1ABB67D58E32F2F16F181A1250C8E514868CF0953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217030Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:41.497{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E437A8EDA4D2D48CBB5E7B8B4928613F,SHA256=CD5D2A17427BF4320CC908FF7E6D485C847D1883AAE030BCF39826115AB287B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162776Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:41.860{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAE0BF7EEA0AFFB5CF49F887DAB2713,SHA256=BB71BD1C139B77478FE1C334D65E23C2BE890B557B81B8275EBD7E87241E98E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162778Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:42.875{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA37EC9193F72BDB6F78DDA00F248A1,SHA256=DA252DC5151D2BF86A8E4153516A78BA868B59120FDB6C022CE335D68D07EEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217031Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:42.563{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78ABCE6EC6C92F0CB33A53D46783FDA,SHA256=D670255882B7614DE1E5ED48FE0E7E172992867909CF00C517FE8B1E89236AA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162777Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:40.743{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52246-false10.0.1.12-8000- 23542300x8000000000000000162779Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:43.891{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286C9E89E41560A59732BDBFCE8F7ED2,SHA256=3135FCAB8C32F0F11E6E5F96F0A849C321C981E4ED448E08EE6A9EB333514DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217032Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:43.581{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739BC14BA5FB452630D0612F974C592C,SHA256=3B33211E3F51794C708B90FFE993D29E419B95C0F00C357D4D08D5376B283B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162780Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:44.907{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE591BB159749EF17631D71FA787F75E,SHA256=F0CEDF4C0A895EB05BA6CCB35E79EBD3F0132B90276D74817728B6ED4143B780,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217034Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:42.169{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217033Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:44.612{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16A1625CF4AB27563410279DD5DE0E9,SHA256=A1371E199EB5A848172187C1942C201954B7883535949B7D7F60661D21BBE823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162794Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.922{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D31910199057F3221CFBDD9C1B580E,SHA256=17AFFD289B2C7A53907BA5FD78868B735B60741206EDCA7AE954D336BFDD623C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217035Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:45.627{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6350B7132729C05F0482A4A6FCFD2DE,SHA256=85567110B8BDB51BD6ED6F76CE9609D67AB8AAE8D5721956F058EFBF3994A3D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162793Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5731-6116-3706-00000000E801}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162792Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162791Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162790Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162789Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162788Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162787Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162786Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162785Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162784Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162783Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5731-6116-3706-00000000E801}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162782Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.641{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5731-6116-3706-00000000E801}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162781Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.642{C6197713-5731-6116-3706-00000000E801}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217036Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:46.630{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3230AA292DF508617F2302687C10CBC9,SHA256=5DD554BDDB5234789BCD4B4602F0FE11F6D1CF06859972229DF8B0A1F16BFA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162823Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71B6F049E5CD27EFC2DAC9D0D5CFB8D9,SHA256=8B7BE241D53E24AE220353B785A6F33F8DF2E0D60AD5C3AF3BC2AA47C55B4409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162822Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9210F5DFD400292FCD0E7BBCAB66C285,SHA256=EDA81059A35CD667A006AA34EDF85A1B5AAFDCE05DED2FA391D7262869F68733,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162821Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5732-6116-3906-00000000E801}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162820Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162819Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162818Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162817Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162816Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162815Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162814Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162813Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162812Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162811Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5732-6116-3906-00000000E801}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162810Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.641{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5732-6116-3906-00000000E801}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162809Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.642{C6197713-5732-6116-3906-00000000E801}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000162808Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.422{C6197713-5732-6116-3806-00000000E801}25883996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162807Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5732-6116-3806-00000000E801}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162806Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162805Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162804Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162803Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162802Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162801Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162800Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162799Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162798Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162797Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5732-6116-3806-00000000E801}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162796Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.141{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5732-6116-3806-00000000E801}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162795Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:46.142{C6197713-5732-6116-3806-00000000E801}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217037Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:47.645{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0520F392CDB7D4B5E9D173CA04A42945,SHA256=2C4E0747A084CE85C6E7C9B458912E0D227B3B05212B8805A8AB4B43982F17BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162826Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:45.915{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52247-false10.0.1.12-8000- 23542300x8000000000000000162825Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:47.641{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71B6F049E5CD27EFC2DAC9D0D5CFB8D9,SHA256=8B7BE241D53E24AE220353B785A6F33F8DF2E0D60AD5C3AF3BC2AA47C55B4409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162824Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:47.094{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87160A5B98FE2DE9A955D69E716C8B23,SHA256=27C19BCA12971B837D772B1314AE8BE00B354293C6992D0DAC135114055C6FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217038Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:48.682{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C6BF0A6B50CBE828ECF0D64045F83C,SHA256=1BA0F7305A7E304150EF6591195309DCF5A4B0E98339F4CE3EEE2CF64E34B7F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162855Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5734-6116-3B06-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162854Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162853Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162852Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162851Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162850Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162849Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162848Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162847Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162846Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162845Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5734-6116-3B06-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162844Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5734-6116-3B06-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162843Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.688{C6197713-5734-6116-3B06-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162842Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.500{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162841Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.219{C6197713-5734-6116-3A06-00000000E801}25482596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000162840Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.110{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA496CCC771F39016FCB99EF310B1E09,SHA256=4B8F7C18ACE61FCCA8AA5B3FEC21A354156CBA98BF90B9816885F7EC82083EAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162839Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5734-6116-3A06-00000000E801}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162838Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162837Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162836Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162835Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162834Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162833Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162832Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162831Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162830Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162829Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5734-6116-3A06-00000000E801}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162828Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.016{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5734-6116-3A06-00000000E801}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162827Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.017{C6197713-5734-6116-3A06-00000000E801}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217039Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:49.712{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157A675FD1666974A46CDE4A17ABD262,SHA256=8C81A09168C156658F8FD5413B987748FF2CA860FBF50FBF157AD307BF7692D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162885Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5735-6116-3D06-00000000E801}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162884Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162883Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162882Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162881Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162880Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162879Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162878Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162877Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162876Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162875Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5735-6116-3D06-00000000E801}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162874Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5735-6116-3D06-00000000E801}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162873Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.860{C6197713-5735-6116-3D06-00000000E801}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000162872Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.375{C6197713-5735-6116-3C06-00000000E801}37443856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162871Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5735-6116-3C06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162870Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162869Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162868Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162867Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162866Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162865Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162864Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162863Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162862Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162861Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5735-6116-3C06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000162860Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.188{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5735-6116-3C06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000162859Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.189{C6197713-5735-6116-3C06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162858Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.172{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F5A431AFAD3AD81DA8EDEF6A656197,SHA256=723AB14981F0437F4F1E8AF6F76CA62E102CE3ECFEA04BB85481C6B6C69CFAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162857Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.063{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAA92624619BE2D30F62BDD284F36AF2,SHA256=B9A751A5514AB36E5C92B518487A3252A60A7EBD661E45789D29E813D7D5BCAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000162856Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:49.016{C6197713-5734-6116-3B06-00000000E801}27602196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000217041Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:50.743{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFF23AF1C26EB648B1888CE61BE6B1F,SHA256=F2C9DD345250DE82CF9D74686A50DE5A79E75694347AA78DCD494BF6DD9E3054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162888Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:50.625{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0785398FB9DAB34CA2B52D269D73A0,SHA256=28B845C5C1DD1AFBBA93B8171D5E6AFB033C7BD169A335D04253F1A26A26848D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162887Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:50.625{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=767C5936CE39CF72332960E0EC3AE18D,SHA256=18BF4D8538D3EF5A6EBFA5921949F644B35B9E0051F9492D3A5352EA21969090,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162886Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:48.165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52248-false10.0.1.12-8089- 354300x8000000000000000217040Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:47.207{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64924-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000217051Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:51.879{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217050Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:51.879{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217049Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:51.879{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000217048Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:51.763{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4925EFA6D157F25AE02360FE10ED46,SHA256=EE3477FFAF53BDD2891DAA7BB3D01CD1E4FCBDD9078E7F31C529B405C00158BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162889Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:51.250{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C151BA078899566C52CC802FD089627B,SHA256=0CEB94FE5C0B2ABB69ED8B14F1E3761DCBEF9F6500AC6F0570B637F48E745E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217047Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:51.626{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=F5C9D5CE5F74DCA22900E27E4457DC75,SHA256=CF1E4835344F6D02E3196358E8587416223ED2CC7F85DD2D6DCC58D95A94CDFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217046Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:51.626{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=0A008D4D3A76C33EAFA8E1AB55078119,SHA256=17172EC37CB61D5711D6EC30A447578CBFC45D6416D2FE79317D363C52C07446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217045Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:51.626{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=F16AFDAC00BCD115810DF31108642BDC,SHA256=301E1744704875A36E8137051AD31794AD5FB0D177EDE29BB828328BEE3F4A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217044Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:51.626{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=AE9834680B850AAEDDA38E2CE1B68A82,SHA256=BDC1D88C6C1989CC182751B7EC0844D3D1D569F91236DB74F808EEC7AF270787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217043Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:51.626{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=E3E219E2ED0566E4EAED192F56917D2D,SHA256=C0FF9A7959FCC7081D0EB10CCC2E63647DCC39A4847A31F24BE3F3E41C770168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217042Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:51.626{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=3CB8E8AF355E05649C610746DE7C29C1,SHA256=76E6F13642F9592BBDFAA0AB6C69FFEBF2E19445644B930FA6655B68A019A4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217052Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:52.778{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09D585ECA099629F0D3EE6F1C53E795,SHA256=85497C737715DE2E7FC9C30E8D03E033D64B89E799F4804B30BC6732A200534A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162890Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:52.250{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3227350E9FAF33DFB091307ECDEC3D0E,SHA256=9E5D16A1F072E102BC23ABB4F307C7E835A7E48A5B4DC5BFA95794CC96665258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217053Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:53.808{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BD79692BD1A7CAF579357AE2C9C1EC,SHA256=13C4822342A15C2A5E0371F787DDB5E652FD43919D27EED505D89F520723E869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162891Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:53.250{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFD5DB33B532CD4668422B88E35A52A,SHA256=63F53C94C0A1421D27DC9D8134B32A326B8AC5C7D0E57037137FD03B505C9B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217054Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:54.812{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE175A2C6695D69C92ABD4F63F5E881,SHA256=F4FAECED7AB515A6579B79E3EF92045EDC586AEF3DF6D8741ED684B3A521FE24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162893Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:51.884{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52249-false10.0.1.12-8000- 23542300x8000000000000000162892Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:54.266{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89AE7FFDDE540F60FA7C813CB75E81F,SHA256=24BE0FD9BA3C3B6B0DB7F0AC34A1475A2A345E481BE70EE71D8633687E7583BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217056Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:55.827{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDD3856F5781D7E4EDC64D937AD0BFE,SHA256=0D190A446CB28592E1709282356EE78F14766710FED67B22394555239769A6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162894Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:55.266{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402CEDC7EDE6292E4E4C435FFA555935,SHA256=586FBD2A8BD51E6E9022D7FBDC1DA424D5908A23795DEA3B3BB2EA4B7D605A60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217055Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:53.164{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217057Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:56.842{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC8F2B45F0BB463103B517A036F8EF9,SHA256=8B433A16FD84F6085CECAC835755080FC9313C538BB2AB18E5FBFA74D873604E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162895Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:56.282{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F80B73E4DF54541CA9A64441D977530,SHA256=593B946313398311590E890B3C12C1CE94397BC4FF642335A6B8CB6E9903306A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217058Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:57.861{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCA437C16A242F75BEAA197C71AC3A3,SHA256=3C90D44775AB3471FEFA6D1E3C836CE2970767B3A6877272430C016BEB22EE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162896Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:57.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40B796DB16CB402F941A1DB16A08624,SHA256=33B008A1C3ED596ADA0753850AD5F2108B9BEAD238F18A9CDA904EEC86B6B3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217059Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:58.877{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5511D10646428715FDF3F1C45F182E48,SHA256=67B3F32CA38182082B78B9D3FCD58A7746B097C4A643DF5E701BDBD6E25D82DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162897Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:58.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067EA1A7A85DF89D0D529F98BC0DF736,SHA256=FB8466281F1E8E312378DE2F837FA1B0C8BEE450AA9ED8E89DC4BF34E7243E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217068Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:59.908{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1992CDC288F59ED671DB48EF62050B,SHA256=EEFC707B7DB6736BC4B0C37AC556BBA82D7094B1EB164BEE75F7EF1BC44A00E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162899Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:57.774{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52250-false10.0.1.12-8000- 23542300x8000000000000000162898Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:27:59.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9116A7E6EB16E16F6FB2679DA00EC9F0,SHA256=E8D6BE8494A11084A9B217795CD970D9B64F64A1CFF1B7289CB2DDD3EE49F6AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217067Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:59.823{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-573F-6116-4E07-00000000E701}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217066Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:59.808{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217065Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:59.808{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217064Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:59.808{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217063Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:59.808{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217062Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:59.808{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-573F-6116-4E07-00000000E701}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000217061Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:59.808{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-573F-6116-4E07-00000000E701}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000217060Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:59.809{079FE16A-573F-6116-4E07-00000000E701}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217079Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.908{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32984A1CF9528C77E8680FD9C3609702,SHA256=CC172A65C77E30FBBCF57048F8FF92314E9B11DD8DE4118FD6DF141FBF41A003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162900Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:00.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC5178CACABBB7C2704709133CF2B26,SHA256=7F2F3236B566B4159F11541D28E882292CC7606C6236D76D841C89D7A7E36F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217078Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.823{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4476D8EC23D353659C1F4A539239EDB5,SHA256=D75EF8ECCA105F76491CBE6552FC1E251EBDE9D9D76D3E4C943346E4E3F38C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217077Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.823{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A7BCD07A46980AC3215253337F01751,SHA256=8EFDF7CE4A48D06891B0153A1AD677C648A9F6D72C79535065F734F554C985E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217076Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.676{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5740-6116-4F07-00000000E701}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217075Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.676{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217074Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.676{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217073Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.676{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217072Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.676{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217071Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.676{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5740-6116-4F07-00000000E701}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000217070Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.676{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5740-6116-4F07-00000000E701}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000217069Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:00.678{079FE16A-5740-6116-4F07-00000000E701}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217090Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:01.925{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9DD5AFBC9D46D5757516DB47EAB18C,SHA256=6CC5CED27508753B95819EBBF327FA6411497553F172203666B46BB543F760B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162901Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:01.299{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AAE0578CD07B1583DD1363F0F61107,SHA256=EE7F9B3B6FF43BF613A7DD97BD78C69A0511BC98E19D4D168FDA89048D369912,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217089Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:27:58.333{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000217088Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:01.395{079FE16A-5741-6116-5007-00000000E701}22764336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217087Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:01.177{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5741-6116-5007-00000000E701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217086Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:01.177{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217085Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:01.177{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217084Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:01.177{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217083Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:01.177{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217082Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:01.177{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5741-6116-5007-00000000E701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000217081Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:01.177{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5741-6116-5007-00000000E701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000217080Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:01.178{079FE16A-5741-6116-5007-00000000E701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217102Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:02.939{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D83C102BB77094BBB2A94F27EA1D19F,SHA256=1B3021C81F19F07D0F7EA58A66F0E01239DE986E7C221BF3EFF9507D54F7E4E1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000217101Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:28:02.577{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000217100Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:28:02.577{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00be0a15) 13241300x8000000000000000217099Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:28:02.577{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902d-0xe4e43aa2) 13241300x8000000000000000217098Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:28:02.577{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79036-0x46a8a2a2) 13241300x8000000000000000217097Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:28:02.577{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903e-0xa86d0aa2) 23542300x8000000000000000162902Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:02.301{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1336A9C416AD5B88C4AE9E270FE2CCD,SHA256=0ACF897CF05B6B459EA81056C947CCE4729553C87B3EB2B50ECC431F138EA653,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000217096Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:28:02.577{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000217095Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:28:02.577{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00be0a15) 13241300x8000000000000000217094Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:28:02.577{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902d-0xe4e43aa2) 13241300x8000000000000000217093Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:28:02.577{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79036-0x46a8a2a2) 13241300x8000000000000000217092Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:28:02.577{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903e-0xa86d0aa2) 23542300x8000000000000000217091Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:02.177{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4476D8EC23D353659C1F4A539239EDB5,SHA256=D75EF8ECCA105F76491CBE6552FC1E251EBDE9D9D76D3E4C943346E4E3F38C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217112Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.976{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A9BAAE6A24028EDD0F7D294E9E3295,SHA256=A8B1DAEFF1400E10ED0D81D5ED497F847A09ADC55FD61A60D00A7977624EAD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162903Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:03.302{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE31DE0DE1FBC24196581683F2568D2,SHA256=FF2133341AA4CF08432C9EE6287B10ECA9473FC0923D423663C1F1AECB272F77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217111Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.907{079FE16A-5743-6116-5107-00000000E701}11486892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217110Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.676{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5743-6116-5107-00000000E701}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217109Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.676{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217108Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.676{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217107Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.676{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217106Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.676{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217105Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.676{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5743-6116-5107-00000000E701}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000217104Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.676{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5743-6116-5107-00000000E701}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000217103Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.677{079FE16A-5743-6116-5107-00000000E701}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000162904Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:04.318{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DBE1FD512A03173CBF87CA1CBD8F09,SHA256=6FC00AC7BAFB76C59960167C7DA24F7FB22ED21374070B54550FCBA2ABA052E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217122Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:04.676{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B96EC5841A4BFFC5CB8FA637CF25A35E,SHA256=E3C018DE73B1F47F04F63ACCA152AB2F9DF75E0DDFED5904669DBECFF571C16B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217121Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:04.592{079FE16A-5744-6116-5207-00000000E701}61242544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217120Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:04.361{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5744-6116-5207-00000000E701}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217119Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:04.359{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217118Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:04.358{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217117Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:04.358{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217116Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:04.358{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217115Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:04.358{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5744-6116-5207-00000000E701}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000217114Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:04.357{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5744-6116-5207-00000000E701}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000217113Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:04.356{079FE16A-5744-6116-5207-00000000E701}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000162906Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:02.920{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52251-false10.0.1.12-8000- 23542300x8000000000000000162905Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:05.364{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF2AACBCB126FD3108C52C6A21632FD,SHA256=DE91DBAAA8ADB087F295DF2D2F5E6C21EB22242407DB024AAC40719DDDC8F2F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217142Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:02.885{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64927-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000217141Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:02.885{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64927-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000217140Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.522{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5745-6116-5407-00000000E701}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217139Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.522{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217138Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.522{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217137Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.522{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217136Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.522{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217135Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.522{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5745-6116-5407-00000000E701}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000217134Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.522{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5745-6116-5407-00000000E701}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000217133Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.524{079FE16A-5745-6116-5407-00000000E701}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000217132Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.260{079FE16A-5745-6116-5307-00000000E701}54164664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217131Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.023{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5745-6116-5307-00000000E701}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217130Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.023{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217129Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.023{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217128Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.023{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5745-6116-5307-00000000E701}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000217127Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.023{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217126Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.023{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217125Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.023{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5745-6116-5307-00000000E701}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000217124Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.025{079FE16A-5745-6116-5307-00000000E701}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000217123Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:05.007{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D3CE9D14E50DC1B315FDED1302FDDC,SHA256=975DE361FA268380E8E2A75A667F56AEDFACC2DE015C5F2961E3E1F3E2C1AA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162907Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:06.364{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6979ED12085B7BC6DBBDCF0F01A87E,SHA256=848DBA2E31C3DB3C67D5216E93DF960DCE2A0587F7BC56AC350DC05E0954BFF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217145Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:03.364{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217144Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:06.038{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDAC0C134CBCCAEA3FC1C03ABF92B69E,SHA256=ED2AF4597CA8EE51F830E378DB88E77D21527630BD4A010B830BE6A38DA528A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217143Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:06.023{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C84B4BC4D2C40E15F99C143FC79B52,SHA256=31F85658CE873525488ABF7F20E8AB9C722305A3AA21FB6CB0FE3533389412DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162908Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:07.364{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F78686D666768289BD31EDA0210179,SHA256=1505907FBA3F9D28BA725D5C85570C798B2BFCA0BC529113E6A523EF5F0526BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217146Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:07.038{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36C1C897ADAED5E3185A450AB89DB82,SHA256=8E7EBB7DF182F97E380BD97F9C44D0A2EFF3D8B0C5CF0411F4501948518317D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162909Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:08.380{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B48A37A1D62B82D2996DA537A1D7589,SHA256=93FE953959393CDF00089922D89CBAF49AFE0466109ADDF36217666716322B36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217151Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:08.190{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000217150Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:08.190{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000217149Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:08.190{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFbe200e.TMPMD5=5BE865BBFE6D2DD6A1F9D75554EF0CB3,SHA256=27622C5A7DF22C1383E270185A60E9F9697DD99F16DBA979EABC776F4EE15591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217148Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:08.154{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\aborted-session-pingMD5=54AEF3E343F50153930378FFE1EE1C6D,SHA256=5430E86099086D3C45B8BBA42E3004DD7DDF60FADA1C4E2E8A2987C8F747BEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217147Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:08.055{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22D96CD03BD99EC4AB4BF53A34222B0,SHA256=499E431017D54C3673E61CEDD2FF39E11A71454CCFD886B20B61122EA590B44F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162910Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:09.380{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985D3ADE0C55A129508CD55D4ADDD4AC,SHA256=F506ED3B3FFD5F14BBBCD40A6004AE9F375846FAEEE80E74EBA491A9A5FBF0A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000217154Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:09.106{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217153Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:09.106{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000217152Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:09.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19A30DD35E44450009D2926E07FC996,SHA256=D8788DF7AAB2F0195B5D72A3FDA00F0F55E8588013F457A201B76972F8E443C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162912Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:08.795{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52252-false10.0.1.12-8000- 23542300x8000000000000000162911Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:10.396{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821C30E4698191C244F6C9DA08FB5D58,SHA256=FDDF5E55FEFBB29D2BB3C80796CCD722CE1A17100487BB027D0C472294484703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217155Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:10.090{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B879C23B8C7C24BDC1B99379A12C0A2F,SHA256=B91EE6F3F74538A3DBA11A849DCF4E5ED0BEC15493B352E107CB02F90DDBA022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162913Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:11.396{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E4AB2B4911D3EEACA4BF0517F7AA29,SHA256=442D5B23C46AFDDB69CE3D1E2F42B96C50B27981F9B07BECAB84A5F5361B69C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217157Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:09.262{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217156Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:11.105{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468D5B791F987A244D08EC0BA083BEB4,SHA256=DB0C9F2D65F3B031DC368293D5F9E92C0C2E7ECEB3E796C3FCD014A6FD3C1811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162914Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:12.427{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4A15F915B6F9C92A69ABAE73A29CC8,SHA256=7748B6416D3980596D5A62408C1FFB4FB674935E5784F11D52D6E79FD98DD1ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217158Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:12.119{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193E7B6F2C15390DA5610986E14C4D49,SHA256=BD8B33241EADE54A310E20C8A3483325C6C1E8C7EBE32D9B925BB2AD2EFE8EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162915Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:13.489{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8855811F28DFC38B2DC07CDD729F00,SHA256=6356F337B5A62D2F640195323DE0207DE63ED98E985304D96982C6CBD7FA5D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217159Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:13.154{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1594B90EB8CF3069819CC723A3D49FE0,SHA256=DBA06A2DB002BE0F43804C744AE29246C3A207B1D578BC859074711A3864E0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162916Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:14.536{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744ADF054EDBA0DDAAA6CEA3047EC011,SHA256=E07891CBC2F4E7A9691D94A7925A744FB90B9FB7ABBB51DCB7DF27CAB4683BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217160Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:14.188{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC3060DAEFCD5279952378C82D4CE09,SHA256=44CF52C8717BD76E09885E01252FDD0CF49779DEDF570394BE78ADA739266545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162917Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:15.552{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF8E42D76F6CFC6940D6220E1FEBCC0,SHA256=D5F2181B91BF010090B65CCF26B26937EC6ED481125AB026D4DEF4BF987AAB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217161Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:15.203{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B44164EF1DB839511434199CD812EC,SHA256=56B9FB5FA529AFB7C249421A7369415FB01A330A4973D48AFA8ED514420FB250,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162919Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:14.795{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52253-false10.0.1.12-8000- 23542300x8000000000000000162918Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:16.552{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA1610BD771448D46301BF16187AF1B,SHA256=340634979FEE0E12EA848612F29B64960516D56BD7BC47EAE48127D546BD190D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217162Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:16.217{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9A5610D51CAE5A5EF96A4745FE6B2F,SHA256=EC32FCC92B300A181947E1B1BA35D269813038E606332540C55297E879147753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162920Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:17.568{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1219266E80C77C135C40AF1D03129DC,SHA256=E7E90A3C1C1A9D36C94902C1D908ECD3C8FB86828C1869315250AAAA7E6482C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217163Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:17.251{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1430ECBE25CAB7535A050545D8676040,SHA256=FB82427AF447FBF8FFB10F46F1C1DCDC4D573D5BF7196DC8B2D1B87010F9D0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162921Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:18.599{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F184C9D4E8B3238318D34C71231AB093,SHA256=C94C2AAAC3A2C8A43B229FFF4FFB0E4FA53956E7D188DD78A11142F3CAB98D1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000217165Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:15.211{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217164Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:18.269{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4083F2ABAC7B3D7A891DCD1B59A1322A,SHA256=72F4CE5BFD3FDC0C72C52683757CF118912A24010AC653F51B0C08B71874A785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217166Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:19.431{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39BCC238AB07E3DC62C23D119362D8E,SHA256=221F98912CFF14AA610A2AA95D8970C05F22F57ABBB6AB3C431104EBD54D4C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162922Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:19.599{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF7BCA8C7A593AE23593524751C90B9,SHA256=B7D38B35BFEF872ACD4F39EC3279E0351295993ABD3F56680888FCB32ED9B4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217167Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:20.467{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F8C9FC157B235C9D70A402A12D1B08,SHA256=CFBA4B333CBA78C291935AE8812A3156A1780EC08DE979396C8FA517CFCB44AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162923Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:20.630{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F27C14519C7655067A2A8095BDDE19,SHA256=A46B6E9335FD42C3EA8B49DAC6C115CE5333E8AE7A43C0AE9E763F3D01DFFD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162924Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:21.661{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA7CD21BA908F2708C73A41F1B17B2D,SHA256=5B64D35283668DA4B0BA60899DDF1EB1FF2587C261AF631B2C67BDC5CF48D83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217168Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:21.482{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990D8A6D6E1499E53A6C94D2374292A5,SHA256=34E83A93B6BFA6F0E09C5454E2243A85066557EBD07091CEF0F96BAE4167DA03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162926Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:22.677{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E634096B0ED950BC90F698785522EC98,SHA256=CE0AA6A1F3742BE2684E361D0694FB63DC0736B1711A4139D1E0D4A3EA653DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217169Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:22.497{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84027B56F6AA9BFAD3EF88CF95947178,SHA256=97107F7A8CD47A09BADE2767BB2A0D1517812CF4BBC2E9FEF1FED1591D9E1590,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000162925Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:19.873{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52254-false10.0.1.12-8000- 354300x8000000000000000217171Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:20.291{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000217170Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:23.511{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0959BAC27C83561EEB5FF83FB4EF9B82,SHA256=AC6877D65E6275CE334B6B4412E782829CFAF683E666572F06E1D84103D3077C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162927Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:23.692{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA6C081238F397D963C5A0D1EFF47E3,SHA256=8E49DE2952DF2492C4904F59D4061CDCDF54CE92613D06077A7634E772B1F5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000217172Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:28:24.526{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085F43032132970B52B171CF9A3FB0AC,SHA256=5DA3901A92DB6A3358B1C507F47E938889A1B6923F0D192B85D1726635C8143B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000162928Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:28:24.708{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972A84E0CBC003353C1E611EF950E05F,SHA256=4FE81CF4838D57EFDEA9E9C1B32290222FC1649075717AE5B4621E1A37F66FFD,IMPHASH=00000000000000000000000000000000falsetrue