23542300x8000000000000000213874Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.928{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415C27ABF68B5C4ECC3F68794F8DF0E8,SHA256=4B036C9840E5E45C16544E1B9854B924869168DC9DD9524879732EF932D2E9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160243Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:26.202{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4305C84E2B543E62F2B85981E62B2FF,SHA256=A4829956B322A6DF0D0961C26296705B5FC5E647B6690025A393308D78366CC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213873Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.850{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213872Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.850{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213871Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.829{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213870Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.797{079FE16A-284E-6116-B000-00000000E701}8523620C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213869Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213868Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213867Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213866Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213865Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.713{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213864Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.713{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213863Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.665{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213862Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.650{079FE16A-284E-6116-B000-00000000E701}8523620C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213861Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.650{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213860Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.648{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213859Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.628{079FE16A-2850-6116-B700-00000000E701}41044304C:\Windows\System32\RuntimeBroker.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000213858Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.628{079FE16A-2850-6116-B700-00000000E701}41044304C:\Windows\System32\RuntimeBroker.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000213857Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.581{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DB06-00000000E701}7116C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213856Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.549{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DB06-00000000E701}7116C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213855Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.549{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DB06-00000000E701}7116C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213854Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.528{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213853Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.528{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213852Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.528{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53B9-6116-D306-00000000E701}6636C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160244Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:27.202{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ADCEE2719D40485D751C8A04670638,SHA256=AB878D212D54146CEF44E4CF5675D113D9A53046F1841F5755A3340EA4F64EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213902Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.581{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8DD536637440AF8BDD122AC34CBAE4,SHA256=33364D528D50E1789532B854656852E988BF594892A48EDF302C328540880AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213901Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.581{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87D047E16FC05C487AB3EB0CBFDD210F,SHA256=568E3DAB695DBB7CB142941EB21C86A963BFE6044A3028756422AFD51FEF2877,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213900Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213899Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213898Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213897Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213896Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213895Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213894Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.148{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213893Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.148{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213892Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.146{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213891Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.146{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213890Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.145{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213889Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.145{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213888Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.145{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213887Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.113{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213886Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.113{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213885Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.113{079FE16A-53D7-6116-DF06-00000000E701}56886664C:\Windows\system32\conhost.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213884Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.081{079FE16A-284E-6116-B000-00000000E701}8524440C:\Windows\system32\csrss.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213883Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213882Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213881Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213880Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213879Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-284E-6116-B000-00000000E701}8524440C:\Windows\system32\csrss.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213878Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-53D6-6116-DD06-00000000E701}67127064C:\Windows\system32\DllHost.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213877Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.060{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Windows\system32\ATTACKRANGE\Administrator{079FE16A-2850-6116-EC13-0A0000000000}0xa13ec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} 10341000x8000000000000000213876Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A0-6116-0B00-00000000E701}628668C:\Windows\system32\lsass.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213875Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A0-6116-0B00-00000000E701}628668C:\Windows\system32\lsass.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160245Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:28.202{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80BA05388DE315EDE7F9E7BFC4FB0C4,SHA256=C976370506F189D94CCE7E47E1A8B195D0450D96B5920BEBE228A3F9A1BCDB86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213904Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:25.269{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64715-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213903Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:28.012{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B6F61CD9023DAD8FE0DB849E513172,SHA256=83676B495BC8610977F5D679B193059D34B4E9F7CDF8E31ECCB66AF379725342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160246Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:29.218{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A577EF8BE4244434C5F05FDD43046F9,SHA256=A063B1CABD18A848D3DA318E65400E216940DCFF1936FBE29BD0FE0F4D503C20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213912Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213911Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213910Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213909Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213908Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213907Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213906Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000213905Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.027{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BABEE7DB5B32C86D301E7ED0370743,SHA256=9CCAAD1AA9032DAC89962599E0909A16E05AD9C0F4C122F77692EBB1AE866EB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160248Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:27.910{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52070-false10.0.1.12-8000- 23542300x8000000000000000160247Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:30.218{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B265E79C509E4B64F4565600035E99,SHA256=29B5FC09DBDE8DEB7641C418F0E43E9F2B6954BEF6256CD53F2CD3E9431CD711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213913Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:30.064{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769E8BB96B56CCA1772857F0DA41547B,SHA256=A0D7459D32BCE944EDD033485CF945F4948B3B49834A40A6620832206DAD45BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213914Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:31.064{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6542502986581E07F30D35C02CC87B,SHA256=EF7F0B6BA1170A399EE83778D9EB17A260892A49093B161C43FE1868CDA1BF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160249Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:31.249{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC65E902AAB6CFAD03E5AD3ED19CCBD,SHA256=8DE774A9287BD57AECF32A4F04017FC609FB2745DB2B2C1959120AB2E6DD8070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213916Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:30.348{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64716-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213915Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:32.126{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9342B971380566E95D1DA00008976F2,SHA256=02A279D800F69A6C466CF656EBD18A316B38FE48BA3656DEB90A3FE8C9048C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160250Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:32.249{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74899288EE266E2133BA699A38420270,SHA256=06A925B379ED7C122229CA76F24E832C36F696439DEFD5391884CD40A0B39909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160251Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:33.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3986925BF9B8BA36E13C9D5DBB2E97B,SHA256=C59F44EA025E298D104F3676D1DE5E5D3B68DB2AC8A92DF6A0437461542E59F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213917Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:33.145{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D2C9EE866986E527E1524E5F4BFDCB,SHA256=F9F8AC5AB565E0C7C6C1CA4DA843A3D1FA3AC56FF21CF99038FCA7CB238CD115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160252Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:34.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FAA9EBA24E310831E43BB551F184A9,SHA256=BFD1EC30C24120B91B4F92D0E4FF43D62E5B01CD047B38FB9B016FCA3C10496C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213918Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:34.164{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DC113249ED403836F68D8CB933DFC7,SHA256=D93B8F8DB87B089ED27661662CFEBB3422698A3D98578DFB75B7D301E27AA68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213919Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:35.165{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C163DB5ED3870A1DE6D5E50CA7B636,SHA256=2A33EA4B30D2E48482CC20DB3EA51A1D84D7779873F86473CCD224DB461CF1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160255Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:35.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0633EEF8AA3FFD094BF198F0AC264006,SHA256=5CCE4446FCE0DEB6BE2E54DA38C2A7079FC7557651F7544D87A3378ADB39F64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160254Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:35.280{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B857C3AE0ED87E98B8AFECE4CAD69BEF,SHA256=CD8BB487A7FF0D479E70EB69A55899FE2A466B5B167E7A0AFE8B8DF5570FB1CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160253Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:33.788{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52071-false10.0.1.12-8000- 23542300x8000000000000000213921Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:36.843{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A0A9D8662C48EA64620658B7C6ACD4F5,SHA256=60863D9F5DEC831FC9EF8EC4C925E653BB26F18F9DA948C28B4CBC15E2144173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213920Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:36.195{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE99FA008F77DBFBC195ED9872AFA98,SHA256=82FDB64541B9741534D73EF011E64E39C34AEC452E677941E73ED11A959A9BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160256Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:36.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FB9B9F1357237CB6BA23E40BF7585F,SHA256=94C169D3E67F4CD363423A8B600F5F3CD622A93507332D44086023B7BC1C9AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160257Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:37.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD512ACBE45CE43D63A291E1971FF4F2,SHA256=F30754FC1211EF6D3801D6F9EFE4F69F1B27AD339E56DAEAC10857B8629A7CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213922Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:37.210{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC2C14C23BE6D54620F0AEC510F4342,SHA256=F1CE272252FB51C03CD9D5B9676BE13CB4FA49F748D43180FAC9C44964A2B3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160258Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:38.312{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687CEF1AE6A5F1046AC44120CFA5BC7D,SHA256=787B9E7056640FC98EE6220D7B201BC2D53F9D4C950BA38601C0A69F1AD1E29A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213925Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:36.267{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64717-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213924Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:38.611{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213923Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:38.227{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D8DB937A1F8A99E9F5081C1B8BA839,SHA256=51B60E966D984F49C78D57AC48E09E2FEC1660069FE9995CB1FBAFABC5EA360D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160259Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:39.343{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CB4CA039CFF7FC6AE6E8C8A1DF0950,SHA256=5C044A6D89800D713C73D02912CECA381C3E169D953AC3ADD290288D8AF755AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213926Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:39.245{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233A138D04F743538C98B2E9F53F361C,SHA256=0B77D48207694CC9709540101AF8331BAA2ECF4E324107CB0D940E0D8292CA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160260Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:40.343{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF498E78ADF8828D21A569EB8A633BEF,SHA256=AE20B548807BA6E3EF30F5701C05D5389542E3AD75009712B335326C73F41676,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213928Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:37.718{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64718-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000213927Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:40.279{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BF7BB260918C613138F46D54534F4B,SHA256=E5E8C1C35031FF7F2B8F3A515DFCEA71461F30F183014D36E91CB40BBF742A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160262Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:41.343{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F99D69A5B84A85B2C199C69801541F9,SHA256=87D715DD0F69FD7CBD6C48F44152BA91EA461338DCF9D02AAF0773EA6E8A8917,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160261Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:38.863{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52072-false10.0.1.12-8000- 23542300x8000000000000000213929Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:41.310{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE9C04D86BFBBF51937E136AC61CE82,SHA256=48E6A65F65A914BDF523E05F63E862C10840CBF860BD9F8989D5ED26024CA59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160263Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:42.405{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC11B0ABA08631ADA771A141A169E8C,SHA256=6D28281828A119347C0094CBD8B7C3895C5B03359FA88625372F3C0589F53383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213930Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:42.430{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED99A04D83A896DC75A395A311726F0,SHA256=C552582B47A626730646A1D1E4D2D4918A0577C98AC9C3E3CA2AF7820349451E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213932Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:41.317{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64719-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213931Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:43.435{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853E05D3CF8B1D1B38296DC60C4C5FA2,SHA256=067824A74ABA14A4F124D4385C96DC3FE88A81F0D6F44D2A0001F13CD5B92967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160264Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:43.421{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF67ECC0D18E16B21763BC401911D8B6,SHA256=E7610A2CFA9AE3B57E9C204EEB1A2E2291411659B162FEBD575BDF397B9450E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213933Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:44.454{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98BE80B7A57AC471982A87C602E5972,SHA256=76B236619F36C0D9280E5306C556C1AF3D2F1DA9A2E66127CC08D77A03CD7758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160265Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:44.437{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A53400CEEB800D6A1EEFD4D8062C8EF,SHA256=071313D59394486E51EBCC46B697B9B8BB6569549D245668F94B1D2F7E3DFB73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160280Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160279Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160278Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160277Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160276Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160275Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160274Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160273Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160272Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160271Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160270Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160269Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160268Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.656{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160267Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:43.911{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52073-false10.0.1.12-8000- 23542300x8000000000000000160266Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.437{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BE1EA8536E9F2F85475B53FF7004A7,SHA256=DE6495FEE1AA2E4AD188BD82CD6ABD99FF9AF5C1F337C1002574F3978D69F7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213934Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:45.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E79BB65802AD578B462FF1690F7B08,SHA256=55729B4F550BA7F7DD3FCE6C11A11BF2ECF74EC9E3982E55F93AEF6EA59F63C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160309Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37140990DBE060172338E3DC34B06E06,SHA256=75D62C40F6F051AC62CC06E706C8A5F21D1C535730583E07A0164A2F3D05C1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160308Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DE2FCBC81CC30A76AF941E31EF2E640,SHA256=E02EDE41D87FC0EE549DEF8172616249A577FCB9FD1F05EFF3D024B21D00688D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160307Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E748C39CE3C3920446D714890F851F94,SHA256=5E464B8E34E357B46A0D8E926C24C8BB0A0A36071FD08EC4B86F09E9F015A8D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160306Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160305Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160304Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160303Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160302Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160301Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160300Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160299Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160298Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160297Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160296Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160295Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160294Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.828{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213935Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:46.488{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD70094C5F37197440B14BF5DDC895B,SHA256=D791226F004A72EE26138051C7A3AB51DD6CC1CBD9372FA49B6EB7F443C70926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160293Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160292Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160291Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160290Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160289Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160288Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160287Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160286Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160285Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160284Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160283Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160282Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160281Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.328{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160312Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.846{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37140990DBE060172338E3DC34B06E06,SHA256=75D62C40F6F051AC62CC06E706C8A5F21D1C535730583E07A0164A2F3D05C1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160311Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.829{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C887F2332FCFCD2F5F782D6B7D9EFC5,SHA256=B1636DD1C5AF2EA9DDD9DD857DC77EE139F1D3B52782862CBCDE68B14531CD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213936Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:47.503{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9FD88F72EF24C67202B06B41328C4B,SHA256=F615F3C67A5F796052F31C0D667DA8B6FE2BB4DBC20FD847B97E488DC619FB83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160310Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.032{C6197713-53EA-6116-D705-00000000E801}23523956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160328Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.830{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359187ADACE03DB069612B1B9C3CB7F5,SHA256=A0DE21DEAB2A44F80E785FABF72B4F06DC8CE17CA5ACF02073C7CB9BDF3E0910,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213938Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:46.325{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64720-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213937Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:48.518{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FE47E29F94D3387F61F44A191C7A2F,SHA256=E12D9AFC3BFBAF67279C004E09983FDACC7AB786131EB6D7E3147FE9D7865D45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160327Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.596{C6197713-53EC-6116-D805-00000000E801}23323012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160326Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160325Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160324Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160323Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160322Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160321Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160320Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160319Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160318Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160317Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160316Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160315Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160314Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160313Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.221{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213945Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.855{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8C706D4280C59E4F1F7C574F3E13B507,SHA256=4566077350CD631473285222ACE6C13E4FAD76191F406D7624FB23AD27B92CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213944Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.855{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2D48CC0B8F9D602BABBCD9CA61F2A777,SHA256=6439051A9A4CD12B86AEDFBAF01C7180823CEBF84400595DA6EB46358F5EF23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213943Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.855{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=64E6479249A670063015AEDEB7C81003,SHA256=D2DBE43D5DE1D608F067C4AAA57D93DF3CDEE258432E28E58B2EFAA6881FA508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213942Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.854{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=DC89444A41507ADFE55675355F8AAECB,SHA256=996F742E8FC04C5F1F4B4B6B51281B68F19EDB5CDD84741E0EB707173CAF7959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213941Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.852{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D4F910F950CA48E4FA558F89B96BBADD,SHA256=4FE1B527F298461E76EFECC00499D2F99D6AF9B7E278290F2C45CF620C6AA4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213940Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.851{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=4B77300FAB96FD22CD710640277146B5,SHA256=88D142546DCF873C7A035C311D1388B8A432B1A39A8D5E53501373C8B320E30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213939Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.533{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F485C8B37EFF94A8449B971B63E12C3A,SHA256=09597249AB7EBADEBC81EBC5223B6D664784C0F82A575B077144C937F6DCE402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160358Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4437938A949E8224425DB770E83E5BC,SHA256=888E4284EED4269E2328D7D61C5EBEFC2A744017F64A461FA96B018F92C5E4D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160357Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160356Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160355Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160354Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160353Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160352Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160351Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160350Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160349Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160348Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160347Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160346Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160345Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.568{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160344Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.866{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52074-false10.0.1.12-8089- 23542300x8000000000000000160343Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD2EB2FFA5E642E2F368046BA676A5F0,SHA256=22F4512BDFC78D9A7D23EF78FC939016044E1F527A1627B0EE95F6E57879A367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160342Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.333{C6197713-53ED-6116-D905-00000000E801}3124992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160341Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160340Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160339Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160338Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160337Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160336Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160335Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160334Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160333Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160332Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160331Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160330Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160329Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.068{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160376Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6243590A84DC43F28798C752EEAE63D9,SHA256=291581DE4A22B9A5E7C39F4BE038DC319EE3EEA92F195AF8FCEB5C926B7D2A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213946Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:50.552{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C342C89990D7312F0EDDC293025643,SHA256=57658F519B524D004780F7C0B482616E19D51A0D33CFD8624D48CE7A8BA43ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160375Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.582{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=312172FE7EBE7A40969E35C2CB839009,SHA256=5B02AD3652EDD1B621D84F145DBBA966E7A7FCF0C0BBA7C2903BEB898C19209F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160374Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.915{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52075-false10.0.1.12-8000- 10341000x8000000000000000160373Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160372Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160371Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160370Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160369Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160368Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160367Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160366Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160365Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160364Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160363Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160362Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160361Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.084{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160360Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464FFF0A1224CA015ED8DBC1A0D84800,SHA256=21253FEE06A2DC73DB1462E1FC1B5591532D19636D3C0ED5C333D7C7328DC502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160359Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.989{C6197713-53ED-6116-DA05-00000000E801}13042196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160377Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:51.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493B28ED04350123D04AF8C9830CF69F,SHA256=BDC3632F51F619CCAE71144B3F603AD4A68CEF7CCC25F6719A53B54F1C6A9861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213947Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:51.569{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56B08C4D016FE7AD390CED122F51D59,SHA256=D8FB722271D5BD40212E9248917958BCDE49A0C79E8A8DFA5525BCCA0CF2094E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160378Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:52.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27BE2A113F5BB57FC69E793550C451D,SHA256=792215E510F75CF9F1384987A4C30C34851A6D76EAC396168903AE67E9ACD5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213948Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:52.599{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107D481838D857A927378310EDD8463F,SHA256=7498CC07240FD07A142EC4476AA6F91D82E4BCE0E05BDF0173CA43628A9A86D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213949Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:53.613{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95261E6B976DBB5A7DC93A7A7D197C5E,SHA256=625D7D1EC4607C159F73F89FFA7CB3FBECA69CA4255A24963B614040EABBC6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160379Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:53.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFF70A5B3B2385496D789211BF5459A,SHA256=60048A766E4ED26E0661E9FD49693CB3C0D3B3B9EA1DDFF434D7DF578B92234B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213951Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:52.367{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64721-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213950Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:54.629{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C6547E9EF3D7A1035CF6C6368FBEA4,SHA256=0C4B7320B644876879BA9243D404E982AAC2D4E814F43526DF276FC8BCD45C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160380Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:54.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8FCA0299121B32AFD9B7CD5F73CE95,SHA256=E3B51F00E57DB9E7E5226E59C5E9A1D8D5C6F021C9B839C8B3F5881C722D1051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160381Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:55.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBD2491D122214C1D94663BD3B7F763,SHA256=63C46CACC925E5FF07B0E5D8FA07E5809583F28CA0E8C532C52ECA75E9896F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213958Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.683{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312AAE2FB32062C7C17AE31921690826,SHA256=536B0149B98C107C619F8F6AFAE1EA76CD6E4773F6656CCF275AFEB40EE0CD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213957Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=697B0F8B8AC2BA6605B7317210658193,SHA256=14F11D3A5B8047161DAAA6B644C1760C442F03EAA8481C0ECC111613D531D86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213956Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=1F30967A25C13C4D8E82F9A8F1D5C063,SHA256=30AD2875CFD9231F4F61E6D8F61784BF3581C235758424E777EE49B8DDD80B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213955Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B2EA2B0AA6AFE4FF263DF8593852D732,SHA256=A5B98183717A53DCCF33DAB950B87E09C18CFC5E99044443B4D80C06D2EC1F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213954Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=35301AC43B978F17475DAAE8B4BD7FF4,SHA256=355795F5CD084B4B72D1B497A3BC3E4316DD1CB2E8C866AEB13FF2C65C47EA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213953Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.450{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=734729C4A4A8F39DDAF0D8FE206F399A,SHA256=10759DA80E6F012E8109F9E94982ABE5ACEF352024FFAA89B5EF843D851449EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213952Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.448{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=68C52CCE8B562A0F3A927C0C0D9DF0CE,SHA256=08D6FEC469691509A3CC4351838FD6B5D5F3368E1524DE0EDABFC70BD578A65E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160382Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:56.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145F52890BC3FCBAC615C7E703AC3A16,SHA256=894E35843D95926EB54FE7A992558222AD7703F0A81D100952397167BA1FD47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213959Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:56.713{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABA025C42799D8237B2F8E912694321,SHA256=BF206C7256986C1EA5FE26121DB8D51C80277C684B3D0E2739C72C11B7AC8153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160384Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:57.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA53E30FBC8FF01BEE1F85BDAEA4B0B7,SHA256=629C96E1664F7833380E7DCF245C4926961CEEE485140225202703BCAF0A42DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213960Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:57.727{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFDD790891FA910CF533CBDF23D6065,SHA256=634319F09878080A275556C016E1A320C2AE4A347AC9E05EA1D4B17B53D1A4DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160383Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:54.884{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52076-false10.0.1.12-8000- 23542300x8000000000000000160385Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:58.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98118E67FE06F03652554360B8EDFA5D,SHA256=E1DCCF5D8A5E1CD06893E7FF945E24E38F1B4850B4ED5496BFF401E31E0DE92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213961Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:58.745{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E406707A5B55872C5EAB0FEB36E1462,SHA256=5F65CC38D1D4B4ABC32823CF7076556B0764F342C73674B38882105DB695149C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160386Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:59.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3E1BEF2BD68BBBEBF72858829E92B5,SHA256=B8C1D51EA93D29C017EE0588BB61B9AE1137E59967E474FBE84F138BE6DAE446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213970Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.826{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D602CCCB3A3F1D93BB7F8EA5F9067D8E,SHA256=47F9F9706424731FBE4E2BF13F22EC07E6DCC8653CE9E27ACB478F892BAB9E40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213969Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213968Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213967Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213966Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213965Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213964Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213963Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213962Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.711{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000213994Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.894{079FE16A-53F8-6116-E106-00000000E701}57047120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000213993Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.847{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D086D0CB2712D59E18C524C1129ABB2A,SHA256=28F86CEA050C9D8C0B1A8D0EA794BF48CC20F4C13877FBE37918C52F5A56D3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160387Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:00.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B77D1B074DFF5863B769315C874F89,SHA256=C5526F09A3C7885154279F2132926B037C27AB1BAF6DAA8169946EF2B6D055EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213992Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.716{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8BD004EDB018625D8091855E75FD798,SHA256=CF7A97DBB943AF46CA3D8E64CEF7D9A1EC0070CFDF9B71C8D32EE4FB5F81C04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213991Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.715{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8DD536637440AF8BDD122AC34CBAE4,SHA256=33364D528D50E1789532B854656852E988BF594892A48EDF302C328540880AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213990Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213989Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213988Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213987Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213986Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213985Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213984Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213983Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.565{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213982Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2D09B6F9EDEFC69A233391E2628A680D,SHA256=7BB2B6314799F909A3D6EFE9CBE59C2ED8B29DC1202CA9149B03E032E288916F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213981Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=AE7C0F65D3CEED0E1410D63778B5DED7,SHA256=654C8809846E88214A2D7275C122DA061457BD9C5C8F78262EB5C1A9E7B44FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213980Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2D0A83580422635CEC7C6D7C2DBD82F6,SHA256=154BD1FC44C8FCF9A0215206827D84E31F17886390AF02C07C37A2BD6468E007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213979Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=CC34E591623319FF8AC832C9184F3C43,SHA256=82B122F25673DAC4F01C43CD4796562F99F6DBE9494A5DB831040BA47D5B4C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213978Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=7E0E2B40BA90E4E8BEEE42FEF678321A,SHA256=785279F4DE2A47DA6495964554056B41380B1BBCD602769363DB0D1AC7CB6214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213977Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D655D2845120DF80ACC06B8841AFE0A3,SHA256=21931DBA62BCFF47ECF453D9B833C2FB25EF1BC00D645AC8A36A8BCD8B171A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213976Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=802CEF181B45F65EF49C0A4C04368D60,SHA256=901C723C381A0A40D000454C06A182397B106BBA10273716F195486021AA14A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213975Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=6F6491A601A1A664861361A6FFF7D187,SHA256=002196242A59970DCBE475A4F60DB68DCB294DB298412A74AAD2E84DFBFE0864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213974Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C67B28D3C3C20FF2D97715B4885C17C8,SHA256=6ACC64E6DF471D6736C00D0B6D6E71E026850F6B68F664609671D3D2A030F4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213973Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=33144AC011368A829D393503FD89C748,SHA256=A6FB8E4B3B2FB648E66A089021125A47CD50D63DC6EE25471F973BE22D011F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213972Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B6B164F3D4A4FE34B5C93F0202AFD4ED,SHA256=51B5339376DEDC0489144D142BF836A5AF8B1861150F2A64B58A4E2AE7FC2143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213971Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D16251F3A0AA400F69DD51DFF20CFC7C,SHA256=1F209995E8AE90213AAD823E8CAD33216E7A4AFE0975097F66AF2DCE9B4E2404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160388Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:01.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4288DDC61070416A9B29917399537432,SHA256=671F22D5A290D4C9F1466B604E12B18A9E3FDB2A954DAD620D6B16E9F6ED35E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214004Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.862{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E406E970BD07572E88BD7D32DB707274,SHA256=F97E7DE60FF0092ED9984436960B4F84F2E719F0AF82D215C7D386E3BA4619A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214003Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214002Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214001Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214000Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213999Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213998Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213997Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213996Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.196{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000213995Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:58.133{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64722-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160390Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:00.853{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52077-false10.0.1.12-8000- 23542300x8000000000000000160389Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:02.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F525B9841B07C0A90D237DA692F3A06,SHA256=735585752E99AB292B6CA0266812FF054FA24DB328B09E1FAFB5F36F3265F2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214006Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.877{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027C65C65C032C9AB587E0A966EFC168,SHA256=DE56783605920CC4619C76CC577E1C3A8F6616AAEE43B22254908369AFCB8953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214005Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.362{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8BD004EDB018625D8091855E75FD798,SHA256=CF7A97DBB943AF46CA3D8E64CEF7D9A1EC0070CFDF9B71C8D32EE4FB5F81C04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160391Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:03.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EBD34F59BBD0095A5EC66D79E99895,SHA256=6FF6A8C7E1FDD51186859BEF147F4D6E246BDCB89B2377ACC1426B21973ACEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214015Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.915{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E56F04556524B76C031D8CF6FD019A,SHA256=FBB280F019511D99566FD547A142F621E5CC67911A477944147999CE6A4C54C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214014Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214013Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214012Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214011Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214010Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214009Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214008Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214007Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.778{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214028Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.928{079FE16A-53FC-6116-E406-00000000E701}41326340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214027Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.928{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B381EF1B53F9C708D9564A2FB051179,SHA256=7BDFAA4F5142E20783C0DE060EEE1AF1AE8EACFD1F26A9D5344D586FF08D1A0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160394Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:02.852{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com50132-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 354300x8000000000000000160393Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:02.502{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.9.49.23995.9.49.239.static.ttnet.com.tr54306-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000160392Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:04.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE89B56C2CDE7282B3E6F368D7A2EBB,SHA256=879B79E39B49658E7B346FD09BA2F9754674BA075150F204BB14F2AA7BDE3A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214026Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.693{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF8C56630A2066793FCC74DE2FC0B80B,SHA256=74B0FCDDDB6C5EB6AC2B5CD765D39A2DF68A7EF4C965B2EB2999D533D7066E34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214025Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214024Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214023Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214022Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214021Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214020Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214019Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214018Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.645{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214017Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.932{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.9.49.23995.9.49.239.static.ttnet.com.tr54301-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 10341000x8000000000000000214016Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.117{079FE16A-53FB-6116-E306-00000000E701}26726192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214050Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.975{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EA1D294A4F21E9C3C0C530F07EB384,SHA256=0634A33A6C5D0C227FCE3AAF35C639A13F6BDAAD1FAF3EC8686439055E08023C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160397Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:05.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179AC6B2F513F4014A73AD85E078EC6B,SHA256=DDA44E59B59BA4D51EA2FB787F46884ED2390E280DAE291AC1D0887F6285E218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160396Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:05.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910308649549C0748ED32ADA1442D0CF,SHA256=14EAB319A4DABC4C29694B68B5EA33778900E7608AF5298D6CE3BBA26B6E0086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160395Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:05.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638EE150635B86040FE5FD35C2BF5EE6,SHA256=556ECE0B6D43FEC0111B76465C5CBE1C1DF05FFA8657ECE380DE1E5519624079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214049Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.890{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01290245E9F73804769DD97D7B0ED15A,SHA256=C2DFDA52C715C82954D220766DB27F2FE6861B07BB9F7AED31E89E6E0ED5026B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214048Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214047Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214046Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214045Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214044Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214043Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214042Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214041Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.792{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214040Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.575{079FE16A-53FD-6116-E506-00000000E701}55883440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214039Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214038Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214037Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214036Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214035Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214034Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214033Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214032Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.292{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214031Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.769{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64723-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214030Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.769{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64723-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214029Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.328{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com50130-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000214053Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:06.991{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFE7CEE7C3AE72B1591FC3FDFAA3CE0,SHA256=7CC5B420094E64958A9B5B407E1092A3AA34E8FE6E57C4AAB1951E85EFE814B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160398Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:06.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D045019031CEB658D7AE99568E1C933E,SHA256=497CFC5D3D4A23724FF62CFA290D6994A53C40F197898F4230B866642C999552,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214052Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.013{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local62663- 354300x8000000000000000214051Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.184{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64724-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160400Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:07.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F2587D4EDF570BBBE138DFB5D23ACA,SHA256=DCF7F8C4EAAEEBE100383DF7747CF3E8364ED3ECEAC4C0F15078D98767A10C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160399Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:07.239{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179AC6B2F513F4014A73AD85E078EC6B,SHA256=DDA44E59B59BA4D51EA2FB787F46884ED2390E280DAE291AC1D0887F6285E218,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160402Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:06.791{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52078-false10.0.1.12-8000- 23542300x8000000000000000160401Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:08.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38157502A3C62DA1E7B9190DDCD303ED,SHA256=CAA1C9A1AFFAB48E7CE81912842F852DF8512EF2EB957D39CCA89BE05E589538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214057Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.090{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000214056Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.090{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214055Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.090{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb14e51.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214054Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.024{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B796000C04C0521A286C030EE5AADB0,SHA256=1C7015BC4EF194C745D05234913FEDB59FE860F8F98B055DF3E3CCF22C11992F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160403Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:09.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9F2FA9689B619EC053E26692074A36,SHA256=44B5510259746AED3F2D9DFFB11CD6F121612E8F49530EF438301FC272204121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214058Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:09.207{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA0F337F0B9006BE1DF2324C6E47352,SHA256=C7D6129A62D4E8314FA78E51D76242C70E154D8EDF5C464AB3892D42C06DE4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160404Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:10.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22874727BE7AF05E22EE7D7FB70677EB,SHA256=6E7FD18E2A2CB73974A93B8E380E1CA6CF1A8A2A7B4894A34598793A62D35150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214059Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:10.325{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB1AB28DBCFA7EA5071BD6CF3574660,SHA256=8AE15A645CD6790C1A25A27381A5F34DC4B688B5E236DB1854C465025871671F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160405Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:11.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE90F84C08A315A706E3B9D2376E800,SHA256=F094168F33D347C4D4999E3223CA14799328BF4AE40C40AB10EC9591CF4208CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214061Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:11.343{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C7D78D66F94C5B527AEFD43307988D,SHA256=F902C6EBF36BE4266FB02F7F886875F8AB4C32137453DE63D503724EE171DD44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214060Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.199{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64725-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160406Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:12.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4971DB95A09FA3DB4D4118CBB0B76F,SHA256=5227BE1087D0B68E1FB8D4576B821B7FC0502F3FAED463C2A68F6FBD362F4B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214062Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:12.344{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C8155F7FEDD7B828347DC3CA2E7959,SHA256=DD801A5D5CD72A778C5D257F3EA261B81BC8FF5F6CE78143BAA2969B33899F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160407Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:13.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6998BB49D8A93C85B8A44B40AAB852,SHA256=B64318D3B135DE7AAB41DE85BE118BD65B0597ECB22C0F9B16A1C5A29030BBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214063Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:13.374{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5481D4827419D0D606DFF265152ABD,SHA256=12DB23BD567221A2D852098213A5BABF2B641ED438F848A97D2D2D26EDA46E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160408Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:14.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFA689DB17DA18391FD8541AB82E420,SHA256=B88DCA22FEFB8EEB3F6A0995E3A43BD3F54419C4D8A1E3F72FF122DB102083A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214064Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:14.389{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C14049512BE7CA12DA5821E30C5984,SHA256=2675E63E74A8E9575050EBDC97062AD9BDAEDD372FC74FF96351055BF8B5A4C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160409Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:15.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAF68DA247E5F3C9CDDFE694F62BFDE,SHA256=5A43E1302265331EE8B8450E41DF45D0F232F56068FF0A406323007ECB558CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214066Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:15.404{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7421CF21EA3D8ADBEA00B8C051B13DBC,SHA256=852DAE153A5548A617DE61D4E9D9F53FD6170BA1AFBCE427345B78EB8198F573,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214065Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:13.243{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64726-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160411Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:16.926{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B943ECFEA5B4314AAABA6F8156ED1D,SHA256=FE35CB03D52912F7EE9022D8A59147CE0C3B273694470E839CAB8E961DA12B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214067Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:16.423{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D54F6FF4B1236655EB9DACCF6DB345,SHA256=1E174217022DA5119F1F62F12F4C1DA06814E7E923B7697A492C5C94DA4CF022,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160410Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:12.759{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52079-false10.0.1.12-8000- 23542300x8000000000000000160412Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:17.926{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8EC77C868F45E4A819221B3092ABE2,SHA256=F3A2495008998E7F5DB56A388682342B3B91D00998E9878182D2FDF2AC2A5E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214068Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:17.441{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B6168A9CB80DD4825CB04C9D679905,SHA256=6D4C538DE09E29F55078B9AAE97A75B83879581E7E5AE95E73756F7DEBDE3F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160413Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:18.942{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42976A9B89668DD5DDAEB71166CC064,SHA256=5AB49BD4C101847BE609B7991EFA4E2B4F4637DEDFB46B771E5247ABE095229C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214069Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:18.457{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD676997FC7D5D82BCE3F70A8A7E53DA,SHA256=CC6BCFACCDA131C5C4D25D8CABE928B70D2B30B439C68605DCF6705B9C7C9959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214070Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:19.472{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899276083C911F77EC6C7537558E87A6,SHA256=ABB63EDE7B3D217BCEB3DCEE3F4C6720FEAC057F544D81206101504BC0903F0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214072Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:18.264{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64727-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214071Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:20.486{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20AF7B84BABC7D05258E34BAF0EF59F,SHA256=4CEF658D86FC2A52F196C15BCD82A768FBC2DF928378D149BAB7E1EDD9C86F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160415Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:17.791{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52080-false10.0.1.12-8000- 23542300x8000000000000000160414Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:20.004{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B527593AE5FF4876587E6634648A5D,SHA256=AE971CAEE07EB28C40C862FA66CE117085E7569E6952B2BAE775D3274B3D42D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214073Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:21.487{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2884862E047BD3674D283A6AA18AAAEA,SHA256=CC5259FF5BA241543F048D4F9B1DFB579ED3648541B3CAF6EDDD030EBE0B9CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160416Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:21.035{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6DA62FB19E9E1A585482F4E9180149,SHA256=EDADE5607C6FF2A6E36B570E18A9DF64EB692D08FA4A6ACAED9D4D2E4513CAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214074Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:22.488{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66BDC62DFFE9F88BA731BDEC4885291,SHA256=6FE25AD08C3FC8700ADBE5CAD709619A62857A36D60BFB47093FF8A932226BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160417Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:22.036{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEC62EBC55706AB103C4C62BF3E1904,SHA256=0113BC4F7031EE0265FE89C6F690360FC1640C38C7FD90173F7A7BA29042AA44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214075Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:23.503{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D086FDC2DC073A37504FC362D035F713,SHA256=B87BFC21E8FE3864CFC19D6FEB0EB8A5953A49D398A82990B49DDE7FF79D2CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160418Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:23.082{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6A29F903DD1DBA20F8850B5577E675,SHA256=FFEA4077C9C08884DA65FC25BA18DDF02B3EBBF3454B99762DDBA17852AEA133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214076Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:24.520{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402DCC38F73573D54F392488D68B3E05,SHA256=B6A54878684CD76B2E0F8F8148DD2233E0A9574DD8EE876E8D260EFD4533090C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160419Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:24.129{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935004980812BFCE4D14F0F622064FB7,SHA256=8C54BD17483379ECB94A2D782EFBE6401D401FA9C7DDD3F9486EB0285AB37476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214077Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:25.539{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A62BDD7CFF0C6D665202D09EDF97911,SHA256=00C40F9E4938A90A94DBE09E705D55A103F628E861A5DEE56EFAC39292CF72EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160420Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:25.145{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC02E068422CFC2B1D472F523EFF52C,SHA256=E7B38E8E361E8B05981EA4C1BB925415FEFE867A4C54210EF5EAD844A5A576E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214079Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:26.569{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7A2643548FA5E6F0F2389D2E628CA4,SHA256=C6DB1B6007480FC3A3382B80A0BB7BC995236C61CCC87B2F5E74038CC9F66DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160422Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:26.160{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEEA89B3D01CB231F8C88A41CADCACC,SHA256=F89AD752906D300FB87F569B0F8D6E2B1F2FD6DD5ECE40C7B24EC8FE5802BAFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160421Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:23.791{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52081-false10.0.1.12-8000- 354300x8000000000000000214078Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:24.224{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64728-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214080Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:27.599{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FCEB3FE6D0F8ECE2CB1D4B99B485A5,SHA256=91069C1F18E9D9B99333243F490DA6CD550EF6A86275262FE002F7DC64A7FC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160423Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:27.223{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811638FBEB1A936F4907FF7B63DA2A08,SHA256=43C2D832369EE8C4152A7C4BA857FF3898DA3E1023621ACEE7D8C0698C0D6882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160424Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:28.238{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967230D0CF1A110BD71CFE58FE74AF81,SHA256=8F36C085864246255F2B4A058A8D366606B2A536D32E5A8CE61493A95C0FE8A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214121Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214120Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214119Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214118Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214117Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214116Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214115Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214114Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214113Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214112Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214111Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214110Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214109Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214108Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214107Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214106Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214105Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214104Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214103Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214102Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214101Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214100Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214099Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214098Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214097Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214096Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214095Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214094Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214093Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214092Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214091Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214090Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214089Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214088Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214087Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214086Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214085Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214084Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214083Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214082Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214081Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160425Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:29.238{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128F70F9102EB621E96A5C284343E57D,SHA256=104CDFE473E3AC719A05E0765FFE965F13ED19FF4FC8239F13921701B1BC2C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214122Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.999{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C134F76876F2461B53E76900E02FA5CA,SHA256=56FDD2DA2B92EF18731E90DD4710C9DA34EE1D846F391F7008F4FE3F841AB0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160426Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:30.270{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA23EA711B9E9F2B41EDE0755AA903FB,SHA256=39C070AFA4810367B49A3CDE1821D27306C261C3F808412C3F112CCAF6B28548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214123Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:29.999{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA7C16E0EA0B086773D832104221D11,SHA256=068F2CD3ABF3A4667F63BEB240032D56AB2AC57B714073730371FABF0BF6E15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160428Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:31.363{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181CDACA65CE497CEAC0DFAD85870169,SHA256=8C6AF09A84E9DE8396BA6D79D7B152298C000CFCD82EA93AB95124C3F1786101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214124Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:31.016{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07293859314DBD97D4078CC908189A73,SHA256=524B70381B02C6549ED4970C78202C68F0E1AC3C549BB1A6C6392003A484F2C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160427Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:28.807{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52082-false10.0.1.12-8000- 23542300x8000000000000000160429Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:32.379{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F841EF501CF2B4790FED9DAEDB4FEAAB,SHA256=2C387A785EE4C7380329D0DB808B23A59FE9DDE0FF7735924CF55222B7FB9376,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214126Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:30.205{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64729-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214125Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:32.034{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E732353A1D14FCC20C4AA5D48AC38B,SHA256=8B68BC5C4C49B9FF1269647DB552649C6737D4F4C6E1FC9F522EDD38ABA46A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160430Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:33.379{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02ED10304D27686841E45F0E0E72C35E,SHA256=0C816B23B2E54B845AEBA061A7D49A0BF117F1F0121634008FF560CA38382318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214127Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:33.065{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B315B8519D6BD51BDC7052928DF236C,SHA256=65AFECAB5CCB62700279EBB0FD17883E9E65A851AA20CC13FF8EA3760BA90ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160431Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:34.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0FAB1B02B4055F68B0D6516570D609,SHA256=E3454E116264BB3CDC9922A154F403DE515C061A53A2D895DCD004B2426FA186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214128Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:34.080{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F1468597CBACBCEF6572C627CCD02E,SHA256=8EED6F1606C3BDEAEAE13A5A7995BD7112F454FFB1BF7239F030B9C8E2FB3E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160433Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:35.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81AB3DF7F77930D34FC2AB178C06674,SHA256=2B8DCA91293D156EA87E7AE74B55389A580DCD945CA82B9E6185A877CA8DC8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214135Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=559D04577F94E84100BC05143EF551C1,SHA256=539215F6953D1129939C74266218D94B9E3F49A7E7EDDE7BAFFFB06555CF4B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214134Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B5C59797EE91D9BACA2A79622F6F96E8,SHA256=769D1D203D1F11BE901C2E23177E85E472DA12656D8123DED2D95569EF492DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214133Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=9CB292F06C524826BA0DB2C28C66A428,SHA256=4BA9BDF70D6A8BD6BDF09C2D60785B1FEDBA4B42745DE604720A91573642B94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214132Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=5703502BAEF7E17CA8B38556582F73EA,SHA256=BA55ED4D461B02ACC090D2C6310B720C832BAD78731CD44E96AB85276699AD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214131Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=97380B0D58303449968EACA32F22470F,SHA256=385ACF8D75B9588081CA3EACB84843B34F225473468EF088017123B7B97A9664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214130Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=9B0C2DC2A4D9D305A88407E1917A5E86,SHA256=5A8DD709B3028F12CCFAE9BF861B1A02F06C29699EB6966A3E85339DA348109A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214129Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.094{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2752315EE55D4AE1B4B85F2BD65D6AEE,SHA256=9A9F070CF8E7E421C3DF028B9958C0D8E04B8E6660648CD833CD192237C6C8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160432Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:35.285{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3FED0538A81EEFF17B316DC5E86D0AC7,SHA256=D8F749FEE7719072A3955A144DC0CA7FBC1D407A191AFC8FA4E2C41F6C285D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160435Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:36.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773F0748943B79663A9060B2069C74D0,SHA256=ABF75D815DFEF2C7212F146F2AE2A86BAD985A38B2DD59145012C319843159B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160434Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:33.823{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52083-false10.0.1.12-8000- 23542300x8000000000000000214137Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:36.846{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=44DF3CDBF2A8C35B7F0EF76643BA2036,SHA256=3998D304C1D55E9183ECE35F813207919CBA85F6162B0BDE863B39276C194A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214136Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:36.131{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FEB05DA48021EF4EB926BFC172B5E5,SHA256=973B28A204F7BD02FCBFA6E6D1A3424095E80F10FF149F91C6535DA5FEB4D066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214138Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:37.177{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64922719F254CAF89EFE27DE2D9A7A9A,SHA256=C010508D8D12548C84694D01068F0B631747ED27E177863DE7BB9B8A99F71F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160436Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:37.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018663DBF3B4F76975E31FED7A6632D5,SHA256=EB3DF34D82903E09E34A16DF21F2239E705B5CC35168594E8F078A56860B1B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214141Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:36.200{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64730-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214140Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:38.645{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214139Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:38.178{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26385615025BC1F961ED6FCB92A6AA22,SHA256=7C248D32AB80D3BD1D959169F207EEADDBE12DAF16D1B44B8DD1D7E249C75A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160437Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:38.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE9CDB8791D171A2EE4729DE131BAFA,SHA256=7DF5CF9CE850E51FAC905DED168870F51E39785FA411FFF22791289E586F776B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160438Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:39.426{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDBA0440DD8BC0D6FF37C5E07E6C1C2,SHA256=9EB7639F6A2F3A1E4B4A575278B7F82F558DC184623B7A0BD94947A64A37062C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214143Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:37.752{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64731-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000214142Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:39.232{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BE1DCB7D011AF12DD88C4CA92F6F0D,SHA256=62DE3FBFF4D57F748C66148440F32B540406DCC10EF49DC41A793F695AF0B992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160440Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:40.520{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F174B7426FE2ABFBAB0AA1C5073104AA,SHA256=BEAEB3CD662EB086EA36E973A50100CFEF9861BD4F76095586F43940F67CB23A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214144Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:40.248{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4307972BE59C600E37EFF1FEF00C9600,SHA256=2DBC89918A00BB42F1957F59F5B69CFE7758C787552A42F75E45006846505C85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160439Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:38.838{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52084-false10.0.1.12-8000- 23542300x8000000000000000160441Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:41.535{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027BF63FE015523133332495346497E1,SHA256=6C1DB79EA28E58AB6D8EB7A9EA8AD9250825224AFCA990CC73007651C10D8849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214145Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:41.279{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64106BBB6D8CFDABA3FDB3A21E2A4C6,SHA256=E54126D28374C9C77BD46036B8383FF53BA0E186A03BF30BE86B1FDB294B5487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214146Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:42.293{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA0FC569E9CD73B4BE5BBA35C7337A7,SHA256=6D187AAC24FD7DF67F1B5C2F0F2A0636E94FC419A97F15AA31FA95885F0655B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160442Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:42.551{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3343EC8B01B57AB5040AC1C26DB42FD,SHA256=2CCC14D5134E8A1229337DB5CAFB3DDD6257DFCF4195C5116ACD780AB95125CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214148Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:41.232{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64732-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214147Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:43.331{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CB041E1D85ECA2FE5A5B98A98FFCF6,SHA256=09CDC4C3905C5CE2BAE19463A461C853A1D2DD5713E220D8CDED0D18321BA10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160443Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:43.551{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AC5215082D9355B54FD47804D4F688,SHA256=AADA6295672925915CC7CAA8867EC2D6C050D4CCFF229E33940277616B45E887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160444Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:44.567{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609C2504CE6F4702A0D2AF3EE544179A,SHA256=7766F2BCB0A6EB3BAC2BA1DF9F887488A1ABC075548071BBA2DE323212C7AC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214149Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:44.331{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BC818381E77836C730D1C55C10791E,SHA256=02B04AC0F8AC5CE563289EF90D3BAB58B53541B31DE97642DDF9C2ACDD6E4EC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160458Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160457Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160456Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160455Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160454Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160453Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160452Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160451Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160450Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160449Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160448Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160447Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160446Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.661{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160445Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.567{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC3B7C9B11FE76ECC29368A75ED7E7E,SHA256=57DCB4BD9DF80E84C120D8826F9BF0E386FE45806D8F4315E1809DA63824E36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214150Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:45.346{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F88588108870E8DC5E0ED84EF9C2EE2,SHA256=F68C37FA10120944A79C75FC94622310114B2D5AD1F662765FC038AEE91C286F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160485Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160484Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160483Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160482Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160481Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160480Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160479Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160478Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160477Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160476Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160475Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160474Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160473Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214151Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:46.361{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400546B95DFD4E08A7F4BB5BDDE09D39,SHA256=B73DDD2B2388DF4688BF44A498B22707323D505428D6718E6C600B93C3778D9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160472Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:44.869{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52085-false10.0.1.12-8000- 10341000x8000000000000000160471Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160470Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160469Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160468Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160467Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160466Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160465Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160464Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160463Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160462Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160461Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160460Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160459Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.177{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160490Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.850{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7F27C7D7A07C395A43C7339A9E2430,SHA256=C3E3C20C9411058B5BEB9327FED59A92F65AE8F25BE387E339A118F59A67B99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214152Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:47.362{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396FC0BD9239D052E500FCB88AC611A9,SHA256=A68AA1C44D0E2B57BF953F0E7B4B3D151394078B2DD2FA44763BCA9264F26DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160489Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.051{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2DB466F63B69A2BE52625441C9D692C,SHA256=F51C525A2C4EC8763B35C991D79217A98F2A6CB8979DA4D1CE7303448BDA8EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160488Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.051{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2305109B1155570F123269343B4E24E6,SHA256=11A7E530096B5383C2D3BBEFAC2942E5006FE37FFB5D5DCCA871DD97C0E451D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160487Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.051{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A9FB1E5768591B12877286FBFAE14B,SHA256=CED20F72916066FA2D9F035ADBEDFD3C9EDAD4C185DE798A95C4920BF43344B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160486Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.020{C6197713-5426-6116-DE05-00000000E801}32441036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214153Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:48.376{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6B780E48BCCA06177DAE952A8D7A74,SHA256=2E783D667F1FEAC10C24A8AE8F4E65E9DCBF2C538333B1FA21694BC2B4B1B53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160506Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.857{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D3494ED45AE0C04657A0888854003D,SHA256=A16D43C902252F542792CE4D4AA6286F502487830B4DBCC8B9B8C7BF470B538A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160505Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.616{C6197713-5428-6116-DF05-00000000E801}3460220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160504Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160503Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160502Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160501Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160500Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160499Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160498Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160497Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160496Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160495Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160494Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160493Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160492Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.413{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160491Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.241{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160537Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.898{C6197713-5429-6116-E105-00000000E801}28364076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160536Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.881{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291697D67CCA8AE1DA070DC1466F5F0B,SHA256=F7C26EEE11E18941D8B36CDD0806350A816FDB42CF305CBA974A4F6E0796F3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214154Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:49.391{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD408DF702154BF3ECD56AF30C54BD70,SHA256=F1BCFD0BA8059B2CDD69BFCC1CC735B5867E826D7DAC96F16A1CBF3647D16A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160535Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.644{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2DB466F63B69A2BE52625441C9D692C,SHA256=F51C525A2C4EC8763B35C991D79217A98F2A6CB8979DA4D1CE7303448BDA8EF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160534Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.887{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52086-false10.0.1.12-8089- 10341000x8000000000000000160533Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160532Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160531Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160530Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160529Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160528Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160527Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160526Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160525Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160524Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160523Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160522Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160521Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.583{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160520Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.363{C6197713-5429-6116-E005-00000000E801}24042384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160519Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160518Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160517Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160516Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160515Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160514Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160513Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160512Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160511Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160510Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160509Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160508Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160507Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.083{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160551Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.881{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379938496260AA2A0C568D454E9891D6,SHA256=FEE352C07E4E8385D13E945396728B8DFB3793B6661559B4FC3C53F87D09728E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214162Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C206F231801E8982FF5C4EC9B27410ED,SHA256=D96764B55135B3B03CC06CB9E223BA3348F7AB217A9E8FFCD96BD19752BF9A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214161Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B4A09D2AE6175CF7AB77019DBD5E92C5,SHA256=7B3DC78D30C0576FAAACC20344B3943048F2256DC4BFC31D2DCBF08E44BA0053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214160Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=AA2E7C4FA956F6BF549B32B52C3A7458,SHA256=16DD5220A28DBF7E8826BB3E1A4F370DF5986D03E17D64406582DEEE79CC4C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214159Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=828C1F2CD1011FA312BC3FEEBBCDCEAC,SHA256=4578C7E7AB9B10CB13A1513296137B5D259A95202A6C72A8E2F87079935205DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214158Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=E581E741AC096B26D9DD6ECB92228F10,SHA256=F532275F5B93C4C0F4C154EEE7C2E44A66204B244DC0B0FEC7D1969FBD93583C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214157Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=3E1DCA3E6504CE60AF26E0D77082F377,SHA256=1C1336618A99491F62EE06F205276BAB6584F5F2E061DA085223D8391398FCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214156Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.409{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424ABE0708F5C197B4D0625EC4328E08,SHA256=6BEC62A52530FE542DF65A7DB2F6FDC13CC56660530012E6AE013A755F8F8043,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160550Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160549Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160548Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160547Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160546Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160545Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160544Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160543Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160542Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160541Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160540Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160539Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160538Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.085{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214155Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:47.215{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64733-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160554Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:51.897{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94ECD08D541E52D61A59116EE9E3F8E,SHA256=5279A46066B83C0655DAC403B906E9E30D84F3D91E172C00A8BC989D87568BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214163Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:51.442{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD6E089593B45C6AAFFB12B34C253E9,SHA256=5B79A82F0E77F130D4A8B2B53C943ACD50A668EB96F05186FFAFAB9BC18315CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160553Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.893{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52087-false10.0.1.12-8000- 23542300x8000000000000000160552Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:51.319{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05D38038BE98C4E499BB8D83A2C920FC,SHA256=4C00445A898855A9ADFA9C0BB5B802FF6BF1B8713F7A8E09406062C15C0A17C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160555Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:52.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9E733DA6013663E0651D743486AA5E,SHA256=8D8ADA51A86753618FD712B87A786DE3445BADFF7BE3EF3AC6A0971262A8A520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214164Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:52.457{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24FF53E6199E174D4B82C5882529324,SHA256=E4CD05FFECF7B04FE0F95DF92646AB540D52DD91E5E6698477DFCBD179883CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160556Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:53.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEABF2859A4914692CAAEDBDB60B6D48,SHA256=AEEC4C98DB5D8BB799122072BF9DFB1C317D003FCE1757B6B0514D70543B137E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214165Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:53.457{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C401CC0D3B37A29F7A954E5C19662D29,SHA256=699E45D2E04CDEB107EB76179C3530ABFFDB8921D42DE5831C145C838AC69179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160557Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:54.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487A73E39AE90FC8C817C6CEB91F6536,SHA256=E20B68CCD2941223733502C5F239326636DB3F83F5D9C517316092C991ECCEA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214167Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:52.370{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64734-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214166Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:54.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B6D38B89080FB5256B04EB34B3FC94,SHA256=86E97D4AF0DBADC25B0CF85B9BA08EAAE0811B08D38946D5E32F82B0131DFC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160558Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:55.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3F25A72A5C840158B36DF09AAF549E,SHA256=8D586C290F3B92B3E0BF3567E58A3A82BB9D8775E42B1E5321866B592799D04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214168Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:55.480{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83225359077D4DBF9EEC1C0974CAE62D,SHA256=510D0BB9016D7ACEF26921816C9D815AAC078E748EE9F505D9C381F15CE32A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160559Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:56.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376892D49D3C12E7CE0ECEDD8EA13031,SHA256=2F0E25AF1488C97AF09F35FD5F1E325D32A3FB8EAFD0EF76E765C9F9B1578705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214169Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:56.513{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA770EBB257B9D07444BBCF7118DBE82,SHA256=F7B903B48778811A61897F455D107D46DF57B430D51425F382D720F7C6E3ED37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160561Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:57.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7739A03E13F8876C87A3CCEBEC6D738,SHA256=326E0E93B9C9ECF6C386F4AF8142ED5B3590DF350580964EA9E62903521B54BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214170Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:57.532{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39BBD529896D6B6ACB8E6668F89F234,SHA256=AA38302BBF31771B4535F8BD884D01C172A104487D51B3DBF57127E35766468C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160560Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:55.700{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52088-false10.0.1.12-8000- 23542300x8000000000000000160562Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:58.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF875E9C32489F67CE074BCC7F05B69,SHA256=6D072D81BB9D05C717BAE8BBC29A5C99C79CCBC2CC02EF3842CA5B237AC0DF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214171Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:58.578{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09192A0DC422B2EB602627D64ECF1B1A,SHA256=0D16A9539B98C8524A4B7E7AE3FB5A8C3EE50E0C4A1C87212235AD5D903674BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160563Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:59.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94673D4D620946A59111A667ADD10C05,SHA256=66D17A0FE8CEA62B5D3B6DA7EB2D4377EA63A73816B1B56D66936ACDF110F367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214180Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214179Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214178Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214177Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214176Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214175Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214174Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214173Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.732{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214172Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.578{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC167C8EDB531BA648AB7590565815D,SHA256=D7B8CF399DACDD72A915A8A2BC49C8B16E0E2482A44725D3BC1FE32A3AEE507E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160564Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:00.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0801CD219575FB11464DA6877659AC34,SHA256=07BF7F529146337EB64D831BE54E11541260F46AEA522B3825251A6B69320022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214202Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214201Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214200Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214199Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214198Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214197Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214196Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214195Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.894{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214194Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.746{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D8FA1409ACA4084EBFF6227297E698,SHA256=91380291DBBE2708DD3316FEBE8CB95D034FDAE0F806F3C63860C74D005C5A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214193Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.746{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79A074304F1231387D862F8CE4012180,SHA256=C36E69777E50E21093F53B511FBEB319274B72FCD8B4D0B75C20C7569C44E2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214192Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.593{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E182865D05AB0D9AADD93D2512035BB,SHA256=D857C4F92BBAE49E3B17FACFB0E42CA2B0F59E3F219F07F8D6A2769E067E03BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214191Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5434-6116-E806-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214190Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26A1-6116-0C00-00000000E701}<